1 use crate::borrow_check::ArtificialField;
2 use crate::borrow_check::Overlap;
3 use crate::borrow_check::{AccessDepth, Deep, Shallow};
4 use rustc::mir::{Body, BorrowKind, Place, PlaceBase, PlaceElem, PlaceRef, ProjectionElem};
5 use rustc::ty::{self, TyCtxt};
9 /// When checking if a place conflicts with another place, this enum is used to influence decisions
10 /// where a place might be equal or disjoint with another place, such as if `a[i] == a[j]`.
11 /// `PlaceConflictBias::Overlap` would bias toward assuming that `i` might equal `j` and that these
12 /// places overlap. `PlaceConflictBias::NoOverlap` assumes that for the purposes of the predicate
13 /// being run in the calling context, the conservative choice is to assume the compared indices
14 /// are disjoint (and therefore, do not overlap).
15 #[derive(Copy, Clone, Debug, Eq, PartialEq)]
16 crate enum PlaceConflictBias {
21 /// Helper function for checking if places conflict with a mutable borrow and deep access depth.
22 /// This is used to check for places conflicting outside of the borrow checking code (such as in
24 crate fn places_conflict<'tcx>(
26 param_env: ty::ParamEnv<'tcx>,
28 borrow_place: &Place<'tcx>,
29 access_place: &Place<'tcx>,
30 bias: PlaceConflictBias,
32 borrow_conflicts_with_place(
37 BorrowKind::Mut { allow_two_phase_borrow: true },
38 access_place.as_ref(),
44 /// Checks whether the `borrow_place` conflicts with the `access_place` given a borrow kind and
45 /// access depth. The `bias` parameter is used to determine how the unknowable (comparing runtime
46 /// array indices, for example) should be interpreted - this depends on what the caller wants in
47 /// order to make the conservative choice and preserve soundness.
48 pub(super) fn borrow_conflicts_with_place<'tcx>(
50 param_env: ty::ParamEnv<'tcx>,
52 borrow_place: &Place<'tcx>,
53 borrow_kind: BorrowKind,
54 access_place: PlaceRef<'_, 'tcx>,
56 bias: PlaceConflictBias,
59 "borrow_conflicts_with_place({:?}, {:?}, {:?}, {:?})",
60 borrow_place, access_place, access, bias,
63 // This Local/Local case is handled by the more general code below, but
64 // it's so common that it's a speed win to check for it first.
65 if let Some(l1) = borrow_place.as_local() {
66 if let Some(l2) = access_place.as_local() {
71 place_components_conflict(
83 fn place_components_conflict<'tcx>(
85 param_env: ty::ParamEnv<'tcx>,
87 borrow_place: &Place<'tcx>,
88 borrow_kind: BorrowKind,
89 access_place: PlaceRef<'_, 'tcx>,
91 bias: PlaceConflictBias,
93 // The borrowck rules for proving disjointness are applied from the "root" of the
94 // borrow forwards, iterating over "similar" projections in lockstep until
95 // we can prove overlap one way or another. Essentially, we treat `Overlap` as
96 // a monoid and report a conflict if the product ends up not being `Disjoint`.
98 // At each step, if we didn't run out of borrow or place, we know that our elements
99 // have the same type, and that they only overlap if they are the identical.
101 // For example, if we are comparing these:
102 // BORROW: (*x1[2].y).z.a
103 // ACCESS: (*x1[i].y).w.b
105 // Then our steps are:
106 // x1 | x1 -- places are the same
107 // x1[2] | x1[i] -- equal or disjoint (disjoint if indexes differ)
108 // x1[2].y | x1[i].y -- equal or disjoint
109 // *x1[2].y | *x1[i].y -- equal or disjoint
110 // (*x1[2].y).z | (*x1[i].y).w -- we are disjoint and don't need to check more!
112 // Because `zip` does potentially bad things to the iterator inside, this loop
113 // also handles the case where the access might be a *prefix* of the borrow, e.g.
115 // BORROW: (*x1[2].y).z.a
118 // Then our steps are:
119 // x1 | x1 -- places are the same
120 // x1[2] | x1[i] -- equal or disjoint (disjoint if indexes differ)
121 // x1[2].y | x1[i].y -- equal or disjoint
123 // -- here we run out of access - the borrow can access a part of it. If this
124 // is a full deep access, then we *know* the borrow conflicts with it. However,
125 // if the access is shallow, then we can proceed:
127 // x1[2].y | (*x1[i].y) -- a deref! the access can't get past this, so we
130 // Our invariant is, that at each step of the iteration:
131 // - If we didn't run out of access to match, our borrow and access are comparable
132 // and either equal or disjoint.
133 // - If we did run out of access, the borrow can access a part of it.
135 let borrow_base = &borrow_place.base;
136 let access_base = access_place.base;
138 match place_base_conflict(tcx, param_env, borrow_base, access_base) {
139 Overlap::Arbitrary => {
140 bug!("Two base can't return Arbitrary");
142 Overlap::EqualOrDisjoint => {
143 // This is the recursive case - proceed to the next element.
145 Overlap::Disjoint => {
146 // We have proven the borrow disjoint - further
147 // projections will remain disjoint.
148 debug!("borrow_conflicts_with_place: disjoint");
153 // loop invariant: borrow_c is always either equal to access_c or disjoint from it.
154 for (i, (borrow_c, access_c)) in
155 borrow_place.projection.iter().zip(access_place.projection.iter()).enumerate()
157 debug!("borrow_conflicts_with_place: borrow_c = {:?}", borrow_c);
158 let borrow_proj_base = &borrow_place.projection[..i];
160 debug!("borrow_conflicts_with_place: access_c = {:?}", access_c);
162 // Borrow and access path both have more components.
166 // - borrow of `a.(...)`, access to `a.(...)`
167 // - borrow of `a.(...)`, access to `b.(...)`
169 // Here we only see the components we have checked so
170 // far (in our examples, just the first component). We
171 // check whether the components being borrowed vs
172 // accessed are disjoint (as in the second example,
173 // but not the first).
174 match place_projection_conflict(
183 Overlap::Arbitrary => {
184 // We have encountered different fields of potentially
185 // the same union - the borrow now partially overlaps.
187 // There is no *easy* way of comparing the fields
188 // further on, because they might have different types
189 // (e.g., borrows of `u.a.0` and `u.b.y` where `.0` and
190 // `.y` come from different structs).
192 // We could try to do some things here - e.g., count
193 // dereferences - but that's probably not a good
194 // idea, at least for now, so just give up and
195 // report a conflict. This is unsafe code anyway so
196 // the user could always use raw pointers.
197 debug!("borrow_conflicts_with_place: arbitrary -> conflict");
200 Overlap::EqualOrDisjoint => {
201 // This is the recursive case - proceed to the next element.
203 Overlap::Disjoint => {
204 // We have proven the borrow disjoint - further
205 // projections will remain disjoint.
206 debug!("borrow_conflicts_with_place: disjoint");
212 if borrow_place.projection.len() > access_place.projection.len() {
213 for (i, elem) in borrow_place.projection[access_place.projection.len()..].iter().enumerate()
215 // Borrow path is longer than the access path. Examples:
217 // - borrow of `a.b.c`, access to `a.b`
219 // Here, we know that the borrow can access a part of
220 // our place. This is a conflict if that is a part our
221 // access cares about.
223 let proj_base = &borrow_place.projection[..access_place.projection.len() + i];
224 let base_ty = Place::ty_from(borrow_base, proj_base, body, tcx).ty;
226 match (elem, &base_ty.kind, access) {
227 (_, _, Shallow(Some(ArtificialField::ArrayLength)))
228 | (_, _, Shallow(Some(ArtificialField::ShallowBorrow))) => {
229 // The array length is like additional fields on the
230 // type; it does not overlap any existing data there.
231 // Furthermore, if cannot actually be a prefix of any
232 // borrowed place (at least in MIR as it is currently.)
234 // e.g., a (mutable) borrow of `a[5]` while we read the
235 // array length of `a`.
236 debug!("borrow_conflicts_with_place: implicit field");
240 (ProjectionElem::Deref, _, Shallow(None)) => {
241 // e.g., a borrow of `*x.y` while we shallowly access `x.y` or some
242 // prefix thereof - the shallow access can't touch anything behind
244 debug!("borrow_conflicts_with_place: shallow access behind ptr");
247 (ProjectionElem::Deref, ty::Ref(_, _, hir::Mutability::Not), _) => {
248 // Shouldn't be tracked
249 bug!("Tracking borrow behind shared reference.");
251 (ProjectionElem::Deref, ty::Ref(_, _, hir::Mutability::Mut), AccessDepth::Drop) => {
252 // Values behind a mutable reference are not access either by dropping a
253 // value, or by StorageDead
254 debug!("borrow_conflicts_with_place: drop access behind ptr");
258 (ProjectionElem::Field { .. }, ty::Adt(def, _), AccessDepth::Drop) => {
259 // Drop can read/write arbitrary projections, so places
260 // conflict regardless of further projections.
261 if def.has_dtor(tcx) {
266 (ProjectionElem::Deref, _, Deep)
267 | (ProjectionElem::Deref, _, AccessDepth::Drop)
268 | (ProjectionElem::Field { .. }, _, _)
269 | (ProjectionElem::Index { .. }, _, _)
270 | (ProjectionElem::ConstantIndex { .. }, _, _)
271 | (ProjectionElem::Subslice { .. }, _, _)
272 | (ProjectionElem::Downcast { .. }, _, _) => {
273 // Recursive case. This can still be disjoint on a
274 // further iteration if this a shallow access and
275 // there's a deref later on, e.g., a borrow
276 // of `*x.y` while accessing `x`.
282 // Borrow path ran out but access path may not
285 // - borrow of `a.b`, access to `a.b.c`
286 // - borrow of `a.b`, access to `a.b`
288 // In the first example, where we didn't run out of
289 // access, the borrow can access all of our place, so we
292 // If the second example, where we did, then we still know
293 // that the borrow can access a *part* of our place that
294 // our access cares about, so we still have a conflict.
295 if borrow_kind == BorrowKind::Shallow
296 && borrow_place.projection.len() < access_place.projection.len()
298 debug!("borrow_conflicts_with_place: shallow borrow");
301 debug!("borrow_conflicts_with_place: full borrow, CONFLICT");
306 // Given that the bases of `elem1` and `elem2` are always either equal
307 // or disjoint (and have the same type!), return the overlap situation
308 // between `elem1` and `elem2`.
309 fn place_base_conflict<'tcx>(
311 _param_env: ty::ParamEnv<'tcx>,
312 elem1: &PlaceBase<'tcx>,
313 elem2: &PlaceBase<'tcx>,
315 match (elem1, elem2) {
316 (PlaceBase::Local(l1), PlaceBase::Local(l2)) => {
318 // the same local - base case, equal
319 debug!("place_element_conflict: DISJOINT-OR-EQ-LOCAL");
320 Overlap::EqualOrDisjoint
322 // different locals - base case, disjoint
323 debug!("place_element_conflict: DISJOINT-LOCAL");
327 (PlaceBase::Static(s1), PlaceBase::Static(s2)) => {
328 if s1.def_id != s2.def_id {
329 debug!("place_element_conflict: DISJOINT-STATIC");
331 } else if tcx.is_mutable_static(s1.def_id) {
332 // We ignore mutable statics - they can only be unsafe code.
333 debug!("place_element_conflict: IGNORE-STATIC-MUT");
336 debug!("place_element_conflict: DISJOINT-OR-EQ-STATIC");
337 Overlap::EqualOrDisjoint
340 (PlaceBase::Local(_), PlaceBase::Static(_))
341 | (PlaceBase::Static(_), PlaceBase::Local(_)) => {
342 debug!("place_element_conflict: DISJOINT-STATIC-LOCAL-PROMOTED");
348 // Given that the bases of `elem1` and `elem2` are always either equal
349 // or disjoint (and have the same type!), return the overlap situation
350 // between `elem1` and `elem2`.
351 fn place_projection_conflict<'tcx>(
354 pi1_base: &PlaceBase<'tcx>,
355 pi1_proj_base: &[PlaceElem<'tcx>],
356 pi1_elem: &PlaceElem<'tcx>,
357 pi2_elem: &PlaceElem<'tcx>,
358 bias: PlaceConflictBias,
360 match (pi1_elem, pi2_elem) {
361 (ProjectionElem::Deref, ProjectionElem::Deref) => {
362 // derefs (e.g., `*x` vs. `*x`) - recur.
363 debug!("place_element_conflict: DISJOINT-OR-EQ-DEREF");
364 Overlap::EqualOrDisjoint
366 (ProjectionElem::Field(f1, _), ProjectionElem::Field(f2, _)) => {
368 // same field (e.g., `a.y` vs. `a.y`) - recur.
369 debug!("place_element_conflict: DISJOINT-OR-EQ-FIELD");
370 Overlap::EqualOrDisjoint
372 let ty = Place::ty_from(pi1_base, pi1_proj_base, body, tcx).ty;
374 ty::Adt(def, _) if def.is_union() => {
375 // Different fields of a union, we are basically stuck.
376 debug!("place_element_conflict: STUCK-UNION");
380 // Different fields of a struct (`a.x` vs. `a.y`). Disjoint!
381 debug!("place_element_conflict: DISJOINT-FIELD");
387 (ProjectionElem::Downcast(_, v1), ProjectionElem::Downcast(_, v2)) => {
388 // different variants are treated as having disjoint fields,
389 // even if they occupy the same "space", because it's
390 // impossible for 2 variants of the same enum to exist
391 // (and therefore, to be borrowed) at the same time.
393 // Note that this is different from unions - we *do* allow
394 // this code to compile:
397 // fn foo(x: &mut Result<i32, i32>) {
399 // if let Ok(ref mut a) = *x {
402 // // here, you would *think* that the
403 // // *entirety* of `x` would be borrowed,
404 // // but in fact only the `Ok` variant is,
405 // // so the `Err` variant is *entirely free*:
406 // if let Err(ref mut a) = *x {
413 debug!("place_element_conflict: DISJOINT-OR-EQ-FIELD");
414 Overlap::EqualOrDisjoint
416 debug!("place_element_conflict: DISJOINT-FIELD");
420 (ProjectionElem::Index(..), ProjectionElem::Index(..))
421 | (ProjectionElem::Index(..), ProjectionElem::ConstantIndex { .. })
422 | (ProjectionElem::Index(..), ProjectionElem::Subslice { .. })
423 | (ProjectionElem::ConstantIndex { .. }, ProjectionElem::Index(..))
424 | (ProjectionElem::Subslice { .. }, ProjectionElem::Index(..)) => {
425 // Array indexes (`a[0]` vs. `a[i]`). These can either be disjoint
426 // (if the indexes differ) or equal (if they are the same).
428 PlaceConflictBias::Overlap => {
429 // If we are biased towards overlapping, then this is the recursive
430 // case that gives "equal *or* disjoint" its meaning.
431 debug!("place_element_conflict: DISJOINT-OR-EQ-ARRAY-INDEX");
432 Overlap::EqualOrDisjoint
434 PlaceConflictBias::NoOverlap => {
435 // If we are biased towards no overlapping, then this is disjoint.
436 debug!("place_element_conflict: DISJOINT-ARRAY-INDEX");
442 ProjectionElem::ConstantIndex { offset: o1, min_length: _, from_end: false },
443 ProjectionElem::ConstantIndex { offset: o2, min_length: _, from_end: false },
446 ProjectionElem::ConstantIndex { offset: o1, min_length: _, from_end: true },
447 ProjectionElem::ConstantIndex { offset: o2, min_length: _, from_end: true },
450 debug!("place_element_conflict: DISJOINT-OR-EQ-ARRAY-CONSTANT-INDEX");
451 Overlap::EqualOrDisjoint
453 debug!("place_element_conflict: DISJOINT-ARRAY-CONSTANT-INDEX");
458 ProjectionElem::ConstantIndex {
459 offset: offset_from_begin,
460 min_length: min_length1,
463 ProjectionElem::ConstantIndex {
464 offset: offset_from_end,
465 min_length: min_length2,
470 ProjectionElem::ConstantIndex {
471 offset: offset_from_end,
472 min_length: min_length1,
475 ProjectionElem::ConstantIndex {
476 offset: offset_from_begin,
477 min_length: min_length2,
481 // both patterns matched so it must be at least the greater of the two
482 let min_length = max(min_length1, min_length2);
483 // `offset_from_end` can be in range `[1..min_length]`, 1 indicates the last
484 // element (like -1 in Python) and `min_length` the first.
485 // Therefore, `min_length - offset_from_end` gives the minimal possible
486 // offset from the beginning
487 if *offset_from_begin >= *min_length - *offset_from_end {
488 debug!("place_element_conflict: DISJOINT-OR-EQ-ARRAY-CONSTANT-INDEX-FE");
489 Overlap::EqualOrDisjoint
491 debug!("place_element_conflict: DISJOINT-ARRAY-CONSTANT-INDEX-FE");
496 ProjectionElem::ConstantIndex { offset, min_length: _, from_end: false },
497 ProjectionElem::Subslice { from, to, from_end: false },
500 ProjectionElem::Subslice { from, to, from_end: false },
501 ProjectionElem::ConstantIndex { offset, min_length: _, from_end: false },
503 if (from..to).contains(&offset) {
504 debug!("place_element_conflict: DISJOINT-OR-EQ-ARRAY-CONSTANT-INDEX-SUBSLICE");
505 Overlap::EqualOrDisjoint
507 debug!("place_element_conflict: DISJOINT-ARRAY-CONSTANT-INDEX-SUBSLICE");
512 ProjectionElem::ConstantIndex { offset, min_length: _, from_end: false },
513 ProjectionElem::Subslice { from, .. },
516 ProjectionElem::Subslice { from, .. },
517 ProjectionElem::ConstantIndex { offset, min_length: _, from_end: false },
520 debug!("place_element_conflict: DISJOINT-OR-EQ-SLICE-CONSTANT-INDEX-SUBSLICE");
521 Overlap::EqualOrDisjoint
523 debug!("place_element_conflict: DISJOINT-SLICE-CONSTANT-INDEX-SUBSLICE");
528 ProjectionElem::ConstantIndex { offset, min_length: _, from_end: true },
529 ProjectionElem::Subslice { to, from_end: true, .. },
532 ProjectionElem::Subslice { to, from_end: true, .. },
533 ProjectionElem::ConstantIndex { offset, min_length: _, from_end: true },
537 "place_element_conflict: \
538 DISJOINT-OR-EQ-SLICE-CONSTANT-INDEX-SUBSLICE-FE"
540 Overlap::EqualOrDisjoint
542 debug!("place_element_conflict: DISJOINT-SLICE-CONSTANT-INDEX-SUBSLICE-FE");
547 ProjectionElem::Subslice { from: f1, to: t1, from_end: false },
548 ProjectionElem::Subslice { from: f2, to: t2, from_end: false },
550 if f2 >= t1 || f1 >= t2 {
551 debug!("place_element_conflict: DISJOINT-ARRAY-SUBSLICES");
554 debug!("place_element_conflict: DISJOINT-OR-EQ-ARRAY-SUBSLICES");
555 Overlap::EqualOrDisjoint
558 (ProjectionElem::Subslice { .. }, ProjectionElem::Subslice { .. }) => {
559 debug!("place_element_conflict: DISJOINT-OR-EQ-SLICE-SUBSLICES");
560 Overlap::EqualOrDisjoint
562 (ProjectionElem::Deref, _)
563 | (ProjectionElem::Field(..), _)
564 | (ProjectionElem::Index(..), _)
565 | (ProjectionElem::ConstantIndex { .. }, _)
566 | (ProjectionElem::Subslice { .. }, _)
567 | (ProjectionElem::Downcast(..), _) => bug!(
568 "mismatched projections in place_element_conflict: {:?} and {:?}",