1 // Copyright 2012-2014 The Rust Project Developers. See the COPYRIGHT
2 // file at the top-level directory of this distribution and at
3 // http://rust-lang.org/COPYRIGHT.
5 // Licensed under the Apache License, Version 2.0 <LICENSE-APACHE or
6 // http://www.apache.org/licenses/LICENSE-2.0> or the MIT license
7 // <LICENSE-MIT or http://opensource.org/licenses/MIT>, at your
8 // option. This file may not be copied, modified, or distributed
9 // except according to those terms.
11 // Do not remove on snapshot creation. Needed for bootstrap. (Issue #22364)
12 #![cfg_attr(stage0, feature(custom_attribute))]
13 #![crate_name = "rustc_privacy"]
14 #![unstable(feature = "rustc_private", issue = "27812")]
15 #![cfg_attr(stage0, staged_api)]
16 #![crate_type = "dylib"]
17 #![crate_type = "rlib"]
18 #![doc(html_logo_url = "https://www.rust-lang.org/logos/rust-logo-128x128-blk-v2.png",
19 html_favicon_url = "https://doc.rust-lang.org/favicon.ico",
20 html_root_url = "https://doc.rust-lang.org/nightly/")]
22 #![feature(rustc_diagnostic_macros)]
23 #![feature(rustc_private)]
24 #![feature(staged_api)]
26 #[macro_use] extern crate log;
27 #[macro_use] extern crate syntax;
30 extern crate rustc_front;
32 use self::PrivacyResult::*;
33 use self::FieldName::*;
36 use std::mem::replace;
39 use rustc_front::intravisit::{self, Visitor};
41 use rustc::middle::def;
42 use rustc::middle::def_id::DefId;
43 use rustc::middle::privacy::{AccessLevel, AccessLevels};
44 use rustc::middle::privacy::ImportUse::*;
45 use rustc::middle::privacy::LastPrivate::*;
46 use rustc::middle::privacy::PrivateDep::*;
47 use rustc::middle::privacy::ExternalExports;
48 use rustc::middle::ty;
49 use rustc::util::nodemap::NodeMap;
50 use rustc::front::map as ast_map;
53 use syntax::codemap::Span;
57 type Context<'a, 'tcx> = (&'a ty::MethodMap<'tcx>, &'a def::ExportMap);
59 /// Result of a checking operation - None => no errors were found. Some => an
60 /// error and contains the span and message for reporting that error and
61 /// optionally the same for a note about the error.
62 type CheckResult = Option<(Span, String, Option<(Span, String)>)>;
64 ////////////////////////////////////////////////////////////////////////////////
65 /// The parent visitor, used to determine what's the parent of what (node-wise)
66 ////////////////////////////////////////////////////////////////////////////////
68 struct ParentVisitor<'a, 'tcx:'a> {
69 tcx: &'a ty::ctxt<'tcx>,
70 parents: NodeMap<ast::NodeId>,
71 curparent: ast::NodeId,
74 impl<'a, 'tcx, 'v> Visitor<'v> for ParentVisitor<'a, 'tcx> {
75 /// We want to visit items in the context of their containing
76 /// module and so forth, so supply a crate for doing a deep walk.
77 fn visit_nested_item(&mut self, item: hir::ItemId) {
78 self.visit_item(self.tcx.map.expect_item(item.id))
80 fn visit_item(&mut self, item: &hir::Item) {
81 self.parents.insert(item.id, self.curparent);
83 let prev = self.curparent;
85 hir::ItemMod(..) => { self.curparent = item.id; }
86 // Enum variants are parented to the enum definition itself because
87 // they inherit privacy
88 hir::ItemEnum(ref def, _) => {
89 for variant in &def.variants {
90 // The parent is considered the enclosing enum because the
91 // enum will dictate the privacy visibility of this variant
93 self.parents.insert(variant.node.data.id(), item.id);
97 // Trait methods are always considered "public", but if the trait is
98 // private then we need some private item in the chain from the
99 // method to the root. In this case, if the trait is private, then
100 // parent all the methods to the trait to indicate that they're
102 hir::ItemTrait(_, _, _, ref trait_items) if item.vis != hir::Public => {
103 for trait_item in trait_items {
104 self.parents.insert(trait_item.id, item.id);
110 intravisit::walk_item(self, item);
111 self.curparent = prev;
114 fn visit_foreign_item(&mut self, a: &hir::ForeignItem) {
115 self.parents.insert(a.id, self.curparent);
116 intravisit::walk_foreign_item(self, a);
119 fn visit_fn(&mut self, a: intravisit::FnKind<'v>, b: &'v hir::FnDecl,
120 c: &'v hir::Block, d: Span, id: ast::NodeId) {
121 // We already took care of some trait methods above, otherwise things
122 // like impl methods and pub trait methods are parented to the
123 // containing module, not the containing trait.
124 if !self.parents.contains_key(&id) {
125 self.parents.insert(id, self.curparent);
127 intravisit::walk_fn(self, a, b, c, d);
130 fn visit_impl_item(&mut self, ii: &'v hir::ImplItem) {
131 // visit_fn handles methods, but associated consts have to be handled
133 if !self.parents.contains_key(&ii.id) {
134 self.parents.insert(ii.id, self.curparent);
136 intravisit::walk_impl_item(self, ii);
139 fn visit_variant_data(&mut self, s: &hir::VariantData, _: ast::Name,
140 _: &'v hir::Generics, item_id: ast::NodeId, _: Span) {
141 // Struct constructors are parented to their struct definitions because
142 // they essentially are the struct definitions.
144 self.parents.insert(s.id(), item_id);
147 // While we have the id of the struct definition, go ahead and parent
149 for field in s.fields() {
150 self.parents.insert(field.node.id, self.curparent);
152 intravisit::walk_struct_def(self, s)
156 ////////////////////////////////////////////////////////////////////////////////
157 /// The embargo visitor, used to determine the exports of the ast
158 ////////////////////////////////////////////////////////////////////////////////
160 struct EmbargoVisitor<'a, 'tcx: 'a> {
161 tcx: &'a ty::ctxt<'tcx>,
162 export_map: &'a def::ExportMap,
164 // Accessibility levels for reachable nodes
165 access_levels: AccessLevels,
166 // Previous accessibility level, None means unreachable
167 prev_level: Option<AccessLevel>,
168 // Have something changed in the level map?
172 impl<'a, 'tcx> EmbargoVisitor<'a, 'tcx> {
173 fn ty_level(&self, ty: &hir::Ty) -> Option<AccessLevel> {
174 if let hir::TyPath(..) = ty.node {
175 match self.tcx.def_map.borrow().get(&ty.id).unwrap().full_def() {
176 def::DefPrimTy(..) | def::DefSelfTy(..) | def::DefTyParam(..) => {
177 Some(AccessLevel::Public)
180 if let Some(node_id) = self.tcx.map.as_local_node_id(def.def_id()) {
183 Some(AccessLevel::Public)
188 Some(AccessLevel::Public)
192 fn trait_level(&self, trait_ref: &hir::TraitRef) -> Option<AccessLevel> {
193 let did = self.tcx.trait_ref_to_def_id(trait_ref);
194 if let Some(node_id) = self.tcx.map.as_local_node_id(did) {
197 Some(AccessLevel::Public)
201 fn get(&self, id: ast::NodeId) -> Option<AccessLevel> {
202 self.access_levels.map.get(&id).cloned()
205 // Updates node level and returns the updated level
206 fn update(&mut self, id: ast::NodeId, level: Option<AccessLevel>) -> Option<AccessLevel> {
207 let old_level = self.get(id);
208 // Accessibility levels can only grow
209 if level > old_level {
210 self.access_levels.map.insert(id, level.unwrap());
219 impl<'a, 'tcx, 'v> Visitor<'v> for EmbargoVisitor<'a, 'tcx> {
220 /// We want to visit items in the context of their containing
221 /// module and so forth, so supply a crate for doing a deep walk.
222 fn visit_nested_item(&mut self, item: hir::ItemId) {
223 self.visit_item(self.tcx.map.expect_item(item.id))
226 fn visit_item(&mut self, item: &hir::Item) {
227 let inherited_item_level = match item.node {
228 // Impls inherit level from their types and traits
229 hir::ItemImpl(_, _, _, None, ref ty, _) => {
232 hir::ItemImpl(_, _, _, Some(ref trait_ref), ref ty, _) => {
233 cmp::min(self.ty_level(&ty), self.trait_level(trait_ref))
235 hir::ItemDefaultImpl(_, ref trait_ref) => {
236 self.trait_level(trait_ref)
238 // Foreign mods inherit level from parents
239 hir::ItemForeignMod(..) => {
242 // Other `pub` items inherit levels from parents
244 if item.vis == hir::Public { self.prev_level } else { None }
248 // Update id of the item itself
249 let item_level = self.update(item.id, inherited_item_level);
251 // Update ids of nested things
253 hir::ItemEnum(ref def, _) => {
254 for variant in &def.variants {
255 let variant_level = self.update(variant.node.data.id(), item_level);
256 for field in variant.node.data.fields() {
257 self.update(field.node.id, variant_level);
261 hir::ItemImpl(_, _, _, None, _, ref impl_items) => {
262 for impl_item in impl_items {
263 if impl_item.vis == hir::Public {
264 self.update(impl_item.id, item_level);
268 hir::ItemImpl(_, _, _, Some(_), _, ref impl_items) => {
269 for impl_item in impl_items {
270 self.update(impl_item.id, item_level);
273 hir::ItemTrait(_, _, _, ref trait_items) => {
274 for trait_item in trait_items {
275 self.update(trait_item.id, item_level);
278 hir::ItemStruct(ref def, _) => {
279 if !def.is_struct() {
280 self.update(def.id(), item_level);
282 for field in def.fields() {
283 if field.node.kind.visibility() == hir::Public {
284 self.update(field.node.id, item_level);
288 hir::ItemForeignMod(ref foreign_mod) => {
289 for foreign_item in &foreign_mod.items {
290 if foreign_item.vis == hir::Public {
291 self.update(foreign_item.id, item_level);
295 hir::ItemTy(ref ty, _) if item_level.is_some() => {
296 if let hir::TyPath(..) = ty.node {
297 match self.tcx.def_map.borrow().get(&ty.id).unwrap().full_def() {
298 def::DefPrimTy(..) | def::DefSelfTy(..) | def::DefTyParam(..) => {},
300 if let Some(node_id) = self.tcx.map.as_local_node_id(def.def_id()) {
301 self.update(node_id, Some(AccessLevel::Reachable));
310 let orig_level = self.prev_level;
311 self.prev_level = item_level;
313 intravisit::walk_item(self, item);
315 self.prev_level = orig_level;
318 fn visit_block(&mut self, b: &'v hir::Block) {
319 let orig_level = replace(&mut self.prev_level, None);
321 // Blocks can have public items, for example impls, but they always
322 // start as completely private regardless of publicity of a function,
323 // constant, type, field, etc. in which this block resides
324 intravisit::walk_block(self, b);
326 self.prev_level = orig_level;
329 fn visit_mod(&mut self, m: &hir::Mod, _sp: Span, id: ast::NodeId) {
330 // This code is here instead of in visit_item so that the
331 // crate module gets processed as well.
332 if self.prev_level.is_some() {
333 for export in self.export_map.get(&id).expect("module isn't found in export map") {
334 if let Some(node_id) = self.tcx.map.as_local_node_id(export.def_id) {
335 self.update(node_id, Some(AccessLevel::Exported));
340 intravisit::walk_mod(self, m);
343 fn visit_macro_def(&mut self, md: &'v hir::MacroDef) {
344 self.update(md.id, Some(AccessLevel::Public));
348 ////////////////////////////////////////////////////////////////////////////////
349 /// The privacy visitor, where privacy checks take place (violations reported)
350 ////////////////////////////////////////////////////////////////////////////////
352 struct PrivacyVisitor<'a, 'tcx: 'a> {
353 tcx: &'a ty::ctxt<'tcx>,
354 curitem: ast::NodeId,
356 parents: NodeMap<ast::NodeId>,
357 external_exports: ExternalExports,
364 DisallowedBy(ast::NodeId),
368 UnnamedField(usize), // index
369 NamedField(ast::Name),
372 impl<'a, 'tcx> PrivacyVisitor<'a, 'tcx> {
373 // used when debugging
374 fn nodestr(&self, id: ast::NodeId) -> String {
375 self.tcx.map.node_to_string(id).to_string()
378 // Determines whether the given definition is public from the point of view
379 // of the current item.
380 fn def_privacy(&self, did: DefId) -> PrivacyResult {
381 let node_id = if let Some(node_id) = self.tcx.map.as_local_node_id(did) {
384 if self.external_exports.contains(&did) {
385 debug!("privacy - {:?} was externally exported", did);
388 debug!("privacy - is {:?} a public method", did);
390 return match self.tcx.impl_or_trait_items.borrow().get(&did) {
391 Some(&ty::ConstTraitItem(ref ac)) => {
392 debug!("privacy - it's a const: {:?}", *ac);
394 ty::TraitContainer(id) => {
395 debug!("privacy - recursing on trait {:?}", id);
398 ty::ImplContainer(id) => {
399 match self.tcx.impl_trait_ref(id) {
401 debug!("privacy - impl of trait {:?}", id);
402 self.def_privacy(t.def_id)
405 debug!("privacy - found inherent \
406 associated constant {:?}",
408 if ac.vis == hir::Public {
418 Some(&ty::MethodTraitItem(ref meth)) => {
419 debug!("privacy - well at least it's a method: {:?}",
421 match meth.container {
422 ty::TraitContainer(id) => {
423 debug!("privacy - recursing on trait {:?}", id);
426 ty::ImplContainer(id) => {
427 match self.tcx.impl_trait_ref(id) {
429 debug!("privacy - impl of trait {:?}", id);
430 self.def_privacy(t.def_id)
433 debug!("privacy - found a method {:?}",
435 if meth.vis == hir::Public {
445 Some(&ty::TypeTraitItem(ref typedef)) => {
446 match typedef.container {
447 ty::TraitContainer(id) => {
448 debug!("privacy - recursing on trait {:?}", id);
451 ty::ImplContainer(id) => {
452 match self.tcx.impl_trait_ref(id) {
454 debug!("privacy - impl of trait {:?}", id);
455 self.def_privacy(t.def_id)
458 debug!("privacy - found a typedef {:?}",
460 if typedef.vis == hir::Public {
471 debug!("privacy - nope, not even a method");
477 debug!("privacy - local {} not public all the way down",
478 self.tcx.map.node_to_string(node_id));
479 // return quickly for things in the same module
480 if self.parents.get(&node_id) == self.parents.get(&self.curitem) {
481 debug!("privacy - same parent, we're done here");
485 // We now know that there is at least one private member between the
486 // destination and the root.
487 let mut closest_private_id = node_id;
489 debug!("privacy - examining {}", self.nodestr(closest_private_id));
490 let vis = match self.tcx.map.find(closest_private_id) {
491 // If this item is a method, then we know for sure that it's an
492 // actual method and not a static method. The reason for this is
493 // that these cases are only hit in the ExprMethodCall
494 // expression, and ExprCall will have its path checked later
495 // (the path of the trait/impl) if it's a static method.
497 // With this information, then we can completely ignore all
498 // trait methods. The privacy violation would be if the trait
499 // couldn't get imported, not if the method couldn't be used
500 // (all trait methods are public).
502 // However, if this is an impl method, then we dictate this
503 // decision solely based on the privacy of the method
505 // FIXME(#10573) is this the right behavior? Why not consider
506 // where the method was defined?
507 Some(ast_map::NodeImplItem(ii)) => {
509 hir::ImplItemKind::Const(..) |
510 hir::ImplItemKind::Method(..) => {
511 let imp = self.tcx.map
512 .get_parent_did(closest_private_id);
513 match self.tcx.impl_trait_ref(imp) {
514 Some(..) => return Allowable,
515 _ if ii.vis == hir::Public => {
521 hir::ImplItemKind::Type(_) => return Allowable,
524 Some(ast_map::NodeTraitItem(_)) => {
528 // This is not a method call, extract the visibility as one
529 // would normally look at it
530 Some(ast_map::NodeItem(it)) => it.vis,
531 Some(ast_map::NodeForeignItem(_)) => {
532 self.tcx.map.get_foreign_vis(closest_private_id)
534 Some(ast_map::NodeVariant(..)) => {
535 hir::Public // need to move up a level (to the enum)
539 if vis != hir::Public { break }
540 // if we've reached the root, then everything was allowable and this
542 if closest_private_id == ast::CRATE_NODE_ID { return Allowable }
543 closest_private_id = *self.parents.get(&closest_private_id).unwrap();
545 // If we reached the top, then we were public all the way down and
546 // we can allow this access.
547 if closest_private_id == ast::DUMMY_NODE_ID { return Allowable }
549 debug!("privacy - closest priv {}", self.nodestr(closest_private_id));
550 if self.private_accessible(closest_private_id) {
553 DisallowedBy(closest_private_id)
557 /// True if `id` is both local and private-accessible
558 fn local_private_accessible(&self, did: DefId) -> bool {
559 if let Some(node_id) = self.tcx.map.as_local_node_id(did) {
560 self.private_accessible(node_id)
566 /// For a local private node in the AST, this function will determine
567 /// whether the node is accessible by the current module that iteration is
569 fn private_accessible(&self, id: ast::NodeId) -> bool {
570 let parent = *self.parents.get(&id).unwrap();
571 debug!("privacy - accessible parent {}", self.nodestr(parent));
573 // After finding `did`'s closest private member, we roll ourselves back
574 // to see if this private member's parent is anywhere in our ancestry.
575 // By the privacy rules, we can access all of our ancestor's private
576 // members, so that's why we test the parent, and not the did itself.
577 let mut cur = self.curitem;
579 debug!("privacy - questioning {}, {}", self.nodestr(cur), cur);
581 // If the relevant parent is in our history, then we're allowed
582 // to look inside any of our ancestor's immediate private items,
583 // so this access is valid.
584 x if x == parent => return true,
586 // If we've reached the root, then we couldn't access this item
587 // in the first place
588 ast::DUMMY_NODE_ID => return false,
594 cur = *self.parents.get(&cur).unwrap();
598 fn report_error(&self, result: CheckResult) -> bool {
601 Some((span, msg, note)) => {
602 self.tcx.sess.span_err(span, &msg[..]);
604 Some((span, msg)) => {
605 self.tcx.sess.span_note(span, &msg[..])
614 /// Guarantee that a particular definition is public. Returns a CheckResult
615 /// which contains any errors found. These can be reported using `report_error`.
616 /// If the result is `None`, no errors were found.
617 fn ensure_public(&self,
620 source_did: Option<DefId>,
623 debug!("ensure_public(span={:?}, to_check={:?}, source_did={:?}, msg={:?})",
624 span, to_check, source_did, msg);
625 let def_privacy = self.def_privacy(to_check);
626 debug!("ensure_public: def_privacy={:?}", def_privacy);
627 let id = match def_privacy {
628 ExternallyDenied => {
629 return Some((span, format!("{} is private", msg), None))
631 Allowable => return None,
632 DisallowedBy(id) => id,
635 // If we're disallowed by a particular id, then we attempt to
636 // give a nice error message to say why it was disallowed. It
637 // was either because the item itself is private or because
638 // its parent is private and its parent isn't in our
639 // ancestry. (Both the item being checked and its parent must
641 let def_id = source_did.unwrap_or(to_check);
642 let node_id = self.tcx.map.as_local_node_id(def_id);
643 let (err_span, err_msg) = if Some(id) == node_id {
644 return Some((span, format!("{} is private", msg), None));
646 (span, format!("{} is inaccessible", msg))
648 let item = match self.tcx.map.find(id) {
649 Some(ast_map::NodeItem(item)) => {
651 // If an impl disallowed this item, then this is resolve's
652 // way of saying that a struct/enum's static method was
653 // invoked, and the struct/enum itself is private. Crawl
654 // back up the chains to find the relevant struct/enum that
656 hir::ItemImpl(_, _, _, _, ref ty, _) => {
658 hir::TyPath(..) => {}
659 _ => return Some((err_span, err_msg, None)),
661 let def = self.tcx.def_map.borrow().get(&ty.id).unwrap().full_def();
662 let did = def.def_id();
663 let node_id = self.tcx.map.as_local_node_id(did).unwrap();
664 match self.tcx.map.get(node_id) {
665 ast_map::NodeItem(item) => item,
666 _ => self.tcx.sess.span_bug(item.span,
667 "path is not an item")
673 Some(..) | None => return Some((err_span, err_msg, None)),
675 let desc = match item.node {
676 hir::ItemMod(..) => "module",
677 hir::ItemTrait(..) => "trait",
678 hir::ItemStruct(..) => "struct",
679 hir::ItemEnum(..) => "enum",
680 _ => return Some((err_span, err_msg, None))
682 let msg = format!("{} `{}` is private", desc, item.name);
683 Some((err_span, err_msg, Some((span, msg))))
686 // Checks that a field is in scope.
687 fn check_field(&mut self,
689 def: ty::AdtDef<'tcx>,
690 v: ty::VariantDef<'tcx>,
692 let field = match name {
693 NamedField(f_name) => {
694 debug!("privacy - check named field {} in struct {:?}", f_name, def);
695 v.field_named(f_name)
697 UnnamedField(idx) => &v.fields[idx]
699 if field.vis == hir::Public || self.local_private_accessible(field.did) {
703 let struct_desc = match def.adt_kind() {
704 ty::AdtKind::Struct =>
705 format!("struct `{}`", self.tcx.item_path_str(def.did)),
706 // struct variant fields have inherited visibility
707 ty::AdtKind::Enum => return
709 let msg = match name {
710 NamedField(name) => format!("field `{}` of {} is private",
712 UnnamedField(idx) => format!("field #{} of {} is private",
713 idx + 1, struct_desc),
715 span_err!(self.tcx.sess, span, E0451,
719 // Given the ID of a method, checks to ensure it's in scope.
720 fn check_static_method(&mut self,
724 self.report_error(self.ensure_public(span,
727 &format!("method `{}`",
731 // Checks that a path is in scope.
732 fn check_path(&mut self, span: Span, path_id: ast::NodeId, last: ast::Name) {
733 debug!("privacy - path {}", self.nodestr(path_id));
734 let path_res = *self.tcx.def_map.borrow().get(&path_id).unwrap();
735 let ck = |tyname: &str| {
736 let ck_public = |def: DefId| {
737 debug!("privacy - ck_public {:?}", def);
738 let origdid = path_res.def_id();
739 self.ensure_public(span,
742 &format!("{} `{}`", tyname, last))
745 match path_res.last_private {
746 LastMod(AllPublic) => {},
747 LastMod(DependsOn(def)) => {
748 self.report_error(ck_public(def));
750 LastImport { value_priv,
751 value_used: check_value,
753 type_used: check_type } => {
754 // This dance with found_error is because we don't want to
755 // report a privacy error twice for the same directive.
756 let found_error = match (type_priv, check_type) {
757 (Some(DependsOn(def)), Used) => {
758 !self.report_error(ck_public(def))
763 match (value_priv, check_value) {
764 (Some(DependsOn(def)), Used) => {
765 self.report_error(ck_public(def));
770 // If an import is not used in either namespace, we still
771 // want to check that it could be legal. Therefore we check
772 // in both namespaces and only report an error if both would
773 // be illegal. We only report one error, even if it is
774 // illegal to import from both namespaces.
775 match (value_priv, check_value, type_priv, check_type) {
776 (Some(p), Unused, None, _) |
777 (None, _, Some(p), Unused) => {
780 DependsOn(def) => ck_public(def),
783 self.report_error(p);
786 (Some(v), Unused, Some(t), Unused) => {
789 DependsOn(def) => ck_public(def),
793 DependsOn(def) => ck_public(def),
795 if let (Some(_), Some(t)) = (v, t) {
796 self.report_error(Some(t));
804 // FIXME(#12334) Imports can refer to definitions in both the type and
805 // value namespaces. The privacy information is aware of this, but the
806 // def map is not. Therefore the names we work out below will not always
807 // be accurate and we can get slightly wonky error messages (but type
808 // checking is always correct).
809 match path_res.full_def() {
810 def::DefFn(..) => ck("function"),
811 def::DefStatic(..) => ck("static"),
812 def::DefConst(..) => ck("const"),
813 def::DefAssociatedConst(..) => ck("associated const"),
814 def::DefVariant(..) => ck("variant"),
815 def::DefTy(_, false) => ck("type"),
816 def::DefTy(_, true) => ck("enum"),
817 def::DefTrait(..) => ck("trait"),
818 def::DefStruct(..) => ck("struct"),
819 def::DefMethod(..) => ck("method"),
820 def::DefMod(..) => ck("module"),
825 // Checks that a method is in scope.
826 fn check_method(&mut self, span: Span, method_def_id: DefId,
828 match self.tcx.impl_or_trait_item(method_def_id).container() {
829 ty::ImplContainer(_) => {
830 self.check_static_method(span, method_def_id, name)
832 // Trait methods are always all public. The only controlling factor
833 // is whether the trait itself is accessible or not.
834 ty::TraitContainer(trait_def_id) => {
835 self.report_error(self.ensure_public(span, trait_def_id,
836 None, "source trait"));
842 impl<'a, 'tcx, 'v> Visitor<'v> for PrivacyVisitor<'a, 'tcx> {
843 /// We want to visit items in the context of their containing
844 /// module and so forth, so supply a crate for doing a deep walk.
845 fn visit_nested_item(&mut self, item: hir::ItemId) {
846 self.visit_item(self.tcx.map.expect_item(item.id))
849 fn visit_item(&mut self, item: &hir::Item) {
850 let orig_curitem = replace(&mut self.curitem, item.id);
851 intravisit::walk_item(self, item);
852 self.curitem = orig_curitem;
855 fn visit_expr(&mut self, expr: &hir::Expr) {
857 hir::ExprField(ref base, name) => {
858 if let ty::TyStruct(def, _) = self.tcx.expr_ty_adjusted(&**base).sty {
859 self.check_field(expr.span,
861 def.struct_variant(),
862 NamedField(name.node));
865 hir::ExprTupField(ref base, idx) => {
866 if let ty::TyStruct(def, _) = self.tcx.expr_ty_adjusted(&**base).sty {
867 self.check_field(expr.span,
869 def.struct_variant(),
870 UnnamedField(idx.node));
873 hir::ExprMethodCall(name, _, _) => {
874 let method_call = ty::MethodCall::expr(expr.id);
875 let method = self.tcx.tables.borrow().method_map[&method_call];
876 debug!("(privacy checking) checking impl method");
877 self.check_method(expr.span, method.def_id, name.node);
879 hir::ExprStruct(..) => {
880 let adt = self.tcx.expr_ty(expr).ty_adt_def().unwrap();
881 let variant = adt.variant_of_def(self.tcx.resolve_expr(expr));
882 // RFC 736: ensure all unmentioned fields are visible.
883 // Rather than computing the set of unmentioned fields
884 // (i.e. `all_fields - fields`), just check them all.
885 for field in &variant.fields {
886 self.check_field(expr.span, adt, variant, NamedField(field.name));
889 hir::ExprPath(..) => {
891 if let def::DefStruct(_) = self.tcx.resolve_expr(expr) {
892 let expr_ty = self.tcx.expr_ty(expr);
893 let def = match expr_ty.sty {
894 ty::TyBareFn(_, &ty::BareFnTy { sig: ty::Binder(ty::FnSig {
895 output: ty::FnConverging(ty), ..
898 }.ty_adt_def().unwrap();
899 let any_priv = def.struct_variant().fields.iter().any(|f| {
900 f.vis != hir::Public && !self.local_private_accessible(f.did)
903 span_err!(self.tcx.sess, expr.span, E0450,
904 "cannot invoke tuple struct constructor with private \
912 intravisit::walk_expr(self, expr);
915 fn visit_pat(&mut self, pattern: &hir::Pat) {
916 // Foreign functions do not have their patterns mapped in the def_map,
917 // and there's nothing really relevant there anyway, so don't bother
918 // checking privacy. If you can name the type then you can pass it to an
919 // external C function anyway.
920 if self.in_foreign { return }
923 hir::PatStruct(_, ref fields, _) => {
924 let adt = self.tcx.pat_ty(pattern).ty_adt_def().unwrap();
925 let def = self.tcx.def_map.borrow().get(&pattern.id).unwrap().full_def();
926 let variant = adt.variant_of_def(def);
927 for field in fields {
928 self.check_field(pattern.span, adt, variant,
929 NamedField(field.node.name));
933 // Patterns which bind no fields are allowable (the path is check
935 hir::PatEnum(_, Some(ref fields)) => {
936 match self.tcx.pat_ty(pattern).sty {
937 ty::TyStruct(def, _) => {
938 for (i, field) in fields.iter().enumerate() {
939 if let hir::PatWild = field.node {
942 self.check_field(field.span,
944 def.struct_variant(),
949 // enum fields have no privacy at this time
958 intravisit::walk_pat(self, pattern);
961 fn visit_foreign_item(&mut self, fi: &hir::ForeignItem) {
962 self.in_foreign = true;
963 intravisit::walk_foreign_item(self, fi);
964 self.in_foreign = false;
967 fn visit_path(&mut self, path: &hir::Path, id: ast::NodeId) {
968 if !path.segments.is_empty() {
969 self.check_path(path.span, id, path.segments.last().unwrap().identifier.name);
970 intravisit::walk_path(self, path);
974 fn visit_path_list_item(&mut self, prefix: &hir::Path, item: &hir::PathListItem) {
975 let name = if let hir::PathListIdent { name, .. } = item.node {
977 } else if !prefix.segments.is_empty() {
978 prefix.segments.last().unwrap().identifier.name
980 self.tcx.sess.bug("`self` import in an import list with empty prefix");
982 self.check_path(item.span, item.node.id(), name);
983 intravisit::walk_path_list_item(self, prefix, item);
987 ////////////////////////////////////////////////////////////////////////////////
988 /// The privacy sanity check visitor, ensures unnecessary visibility isn't here
989 ////////////////////////////////////////////////////////////////////////////////
991 struct SanePrivacyVisitor<'a, 'tcx: 'a> {
992 tcx: &'a ty::ctxt<'tcx>,
996 impl<'a, 'tcx, 'v> Visitor<'v> for SanePrivacyVisitor<'a, 'tcx> {
997 /// We want to visit items in the context of their containing
998 /// module and so forth, so supply a crate for doing a deep walk.
999 fn visit_nested_item(&mut self, item: hir::ItemId) {
1000 self.visit_item(self.tcx.map.expect_item(item.id))
1003 fn visit_item(&mut self, item: &hir::Item) {
1004 self.check_sane_privacy(item);
1006 self.check_all_inherited(item);
1009 let orig_in_block = self.in_block;
1011 // Modules turn privacy back on, otherwise we inherit
1012 self.in_block = if let hir::ItemMod(..) = item.node { false } else { orig_in_block };
1014 intravisit::walk_item(self, item);
1015 self.in_block = orig_in_block;
1018 fn visit_block(&mut self, b: &'v hir::Block) {
1019 let orig_in_block = replace(&mut self.in_block, true);
1020 intravisit::walk_block(self, b);
1021 self.in_block = orig_in_block;
1025 impl<'a, 'tcx> SanePrivacyVisitor<'a, 'tcx> {
1026 /// Validates all of the visibility qualifiers placed on the item given. This
1027 /// ensures that there are no extraneous qualifiers that don't actually do
1028 /// anything. In theory these qualifiers wouldn't parse, but that may happen
1029 /// later on down the road...
1030 fn check_sane_privacy(&self, item: &hir::Item) {
1031 let check_inherited = |sp, vis, note: &str| {
1032 if vis != hir::Inherited {
1033 span_err!(self.tcx.sess, sp, E0449, "unnecessary visibility qualifier");
1034 if !note.is_empty() {
1035 self.tcx.sess.span_note(sp, note);
1041 // implementations of traits don't need visibility qualifiers because
1042 // that's controlled by having the trait in scope.
1043 hir::ItemImpl(_, _, _, Some(..), _, ref impl_items) => {
1044 check_inherited(item.span, item.vis,
1045 "visibility qualifiers have no effect on trait impls");
1046 for impl_item in impl_items {
1047 check_inherited(impl_item.span, impl_item.vis, "");
1050 hir::ItemImpl(_, _, _, None, _, _) => {
1051 check_inherited(item.span, item.vis,
1052 "place qualifiers on individual methods instead");
1054 hir::ItemDefaultImpl(..) => {
1055 check_inherited(item.span, item.vis,
1056 "visibility qualifiers have no effect on trait impls");
1058 hir::ItemForeignMod(..) => {
1059 check_inherited(item.span, item.vis,
1060 "place qualifiers on individual functions instead");
1062 hir::ItemStruct(..) | hir::ItemEnum(..) | hir::ItemTrait(..) |
1063 hir::ItemConst(..) | hir::ItemStatic(..) | hir::ItemFn(..) |
1064 hir::ItemMod(..) | hir::ItemExternCrate(..) |
1065 hir::ItemUse(..) | hir::ItemTy(..) => {}
1069 /// When inside of something like a function or a method, visibility has no
1070 /// control over anything so this forbids any mention of any visibility
1071 fn check_all_inherited(&self, item: &hir::Item) {
1072 let check_inherited = |sp, vis| {
1073 if vis != hir::Inherited {
1074 span_err!(self.tcx.sess, sp, E0447,
1075 "visibility has no effect inside functions or block expressions");
1079 check_inherited(item.span, item.vis);
1081 hir::ItemImpl(_, _, _, _, _, ref impl_items) => {
1082 for impl_item in impl_items {
1083 check_inherited(impl_item.span, impl_item.vis);
1086 hir::ItemForeignMod(ref fm) => {
1087 for fi in &fm.items {
1088 check_inherited(fi.span, fi.vis);
1091 hir::ItemStruct(ref vdata, _) => {
1092 for f in vdata.fields() {
1093 check_inherited(f.span, f.node.kind.visibility());
1096 hir::ItemDefaultImpl(..) | hir::ItemEnum(..) | hir::ItemTrait(..) |
1097 hir::ItemConst(..) | hir::ItemStatic(..) | hir::ItemFn(..) |
1098 hir::ItemMod(..) | hir::ItemExternCrate(..) |
1099 hir::ItemUse(..) | hir::ItemTy(..) => {}
1104 struct VisiblePrivateTypesVisitor<'a, 'tcx: 'a> {
1105 tcx: &'a ty::ctxt<'tcx>,
1106 access_levels: &'a AccessLevels,
1110 struct CheckTypeForPrivatenessVisitor<'a, 'b: 'a, 'tcx: 'b> {
1111 inner: &'a VisiblePrivateTypesVisitor<'b, 'tcx>,
1112 /// whether the type refers to private types.
1113 contains_private: bool,
1114 /// whether we've recurred at all (i.e. if we're pointing at the
1115 /// first type on which visit_ty was called).
1116 at_outer_type: bool,
1117 // whether that first type is a public path.
1118 outer_type_is_public_path: bool,
1121 impl<'a, 'tcx> VisiblePrivateTypesVisitor<'a, 'tcx> {
1122 fn path_is_private_type(&self, path_id: ast::NodeId) -> bool {
1123 let did = match self.tcx.def_map.borrow().get(&path_id).map(|d| d.full_def()) {
1124 // `int` etc. (None doesn't seem to occur.)
1125 None | Some(def::DefPrimTy(..)) | Some(def::DefSelfTy(..)) => return false,
1126 Some(def) => def.def_id(),
1129 // A path can only be private if:
1130 // it's in this crate...
1131 if let Some(node_id) = self.tcx.map.as_local_node_id(did) {
1132 // .. and it corresponds to a private type in the AST (this returns
1133 // None for type parameters)
1134 match self.tcx.map.find(node_id) {
1135 Some(ast_map::NodeItem(ref item)) => item.vis != hir::Public,
1136 Some(_) | None => false,
1143 fn trait_is_public(&self, trait_id: ast::NodeId) -> bool {
1144 // FIXME: this would preferably be using `exported_items`, but all
1145 // traits are exported currently (see `EmbargoVisitor.exported_trait`)
1146 self.access_levels.is_public(trait_id)
1149 fn check_ty_param_bound(&self,
1150 ty_param_bound: &hir::TyParamBound) {
1151 if let hir::TraitTyParamBound(ref trait_ref, _) = *ty_param_bound {
1152 if !self.tcx.sess.features.borrow().visible_private_types &&
1153 self.path_is_private_type(trait_ref.trait_ref.ref_id) {
1154 let span = trait_ref.trait_ref.path.span;
1155 span_err!(self.tcx.sess, span, E0445,
1156 "private trait in exported type parameter bound");
1161 fn item_is_public(&self, id: &ast::NodeId, vis: hir::Visibility) -> bool {
1162 self.access_levels.is_reachable(*id) || vis == hir::Public
1166 impl<'a, 'b, 'tcx, 'v> Visitor<'v> for CheckTypeForPrivatenessVisitor<'a, 'b, 'tcx> {
1167 fn visit_ty(&mut self, ty: &hir::Ty) {
1168 if let hir::TyPath(..) = ty.node {
1169 if self.inner.path_is_private_type(ty.id) {
1170 self.contains_private = true;
1171 // found what we're looking for so let's stop
1174 } else if self.at_outer_type {
1175 self.outer_type_is_public_path = true;
1178 self.at_outer_type = false;
1179 intravisit::walk_ty(self, ty)
1182 // don't want to recurse into [, .. expr]
1183 fn visit_expr(&mut self, _: &hir::Expr) {}
1186 impl<'a, 'tcx, 'v> Visitor<'v> for VisiblePrivateTypesVisitor<'a, 'tcx> {
1187 /// We want to visit items in the context of their containing
1188 /// module and so forth, so supply a crate for doing a deep walk.
1189 fn visit_nested_item(&mut self, item: hir::ItemId) {
1190 self.visit_item(self.tcx.map.expect_item(item.id))
1193 fn visit_item(&mut self, item: &hir::Item) {
1195 // contents of a private mod can be reexported, so we need
1196 // to check internals.
1197 hir::ItemMod(_) => {}
1199 // An `extern {}` doesn't introduce a new privacy
1200 // namespace (the contents have their own privacies).
1201 hir::ItemForeignMod(_) => {}
1203 hir::ItemTrait(_, _, ref bounds, _) => {
1204 if !self.trait_is_public(item.id) {
1208 for bound in bounds.iter() {
1209 self.check_ty_param_bound(bound)
1213 // impls need some special handling to try to offer useful
1214 // error messages without (too many) false positives
1215 // (i.e. we could just return here to not check them at
1216 // all, or some worse estimation of whether an impl is
1217 // publicly visible).
1218 hir::ItemImpl(_, _, ref g, ref trait_ref, ref self_, ref impl_items) => {
1219 // `impl [... for] Private` is never visible.
1220 let self_contains_private;
1221 // impl [... for] Public<...>, but not `impl [... for]
1222 // Vec<Public>` or `(Public,)` etc.
1223 let self_is_public_path;
1225 // check the properties of the Self type:
1227 let mut visitor = CheckTypeForPrivatenessVisitor {
1229 contains_private: false,
1230 at_outer_type: true,
1231 outer_type_is_public_path: false,
1233 visitor.visit_ty(&**self_);
1234 self_contains_private = visitor.contains_private;
1235 self_is_public_path = visitor.outer_type_is_public_path;
1238 // miscellaneous info about the impl
1240 // `true` iff this is `impl Private for ...`.
1241 let not_private_trait =
1242 trait_ref.as_ref().map_or(true, // no trait counts as public trait
1244 let did = self.tcx.trait_ref_to_def_id(tr);
1246 if let Some(node_id) = self.tcx.map.as_local_node_id(did) {
1247 self.trait_is_public(node_id)
1249 true // external traits must be public
1253 // `true` iff this is a trait impl or at least one method is public.
1255 // `impl Public { $( fn ...() {} )* }` is not visible.
1257 // This is required over just using the methods' privacy
1258 // directly because we might have `impl<T: Foo<Private>> ...`,
1259 // and we shouldn't warn about the generics if all the methods
1260 // are private (because `T` won't be visible externally).
1261 let trait_or_some_public_method =
1262 trait_ref.is_some() ||
1265 match impl_item.node {
1266 hir::ImplItemKind::Const(..) |
1267 hir::ImplItemKind::Method(..) => {
1268 self.access_levels.is_reachable(impl_item.id)
1270 hir::ImplItemKind::Type(_) => false,
1274 if !self_contains_private &&
1275 not_private_trait &&
1276 trait_or_some_public_method {
1278 intravisit::walk_generics(self, g);
1282 for impl_item in impl_items {
1283 // This is where we choose whether to walk down
1284 // further into the impl to check its items. We
1285 // should only walk into public items so that we
1286 // don't erroneously report errors for private
1287 // types in private items.
1288 match impl_item.node {
1289 hir::ImplItemKind::Const(..) |
1290 hir::ImplItemKind::Method(..)
1291 if self.item_is_public(&impl_item.id, impl_item.vis) =>
1293 intravisit::walk_impl_item(self, impl_item)
1295 hir::ImplItemKind::Type(..) => {
1296 intravisit::walk_impl_item(self, impl_item)
1303 // Any private types in a trait impl fall into three
1305 // 1. mentioned in the trait definition
1306 // 2. mentioned in the type params/generics
1307 // 3. mentioned in the associated types of the impl
1309 // Those in 1. can only occur if the trait is in
1310 // this crate and will've been warned about on the
1311 // trait definition (there's no need to warn twice
1312 // so we don't check the methods).
1314 // Those in 2. are warned via walk_generics and this
1316 intravisit::walk_path(self, &tr.path);
1318 // Those in 3. are warned with this call.
1319 for impl_item in impl_items {
1320 if let hir::ImplItemKind::Type(ref ty) = impl_item.node {
1326 } else if trait_ref.is_none() && self_is_public_path {
1327 // impl Public<Private> { ... }. Any public static
1328 // methods will be visible as `Public::foo`.
1329 let mut found_pub_static = false;
1330 for impl_item in impl_items {
1331 match impl_item.node {
1332 hir::ImplItemKind::Const(..) => {
1333 if self.item_is_public(&impl_item.id, impl_item.vis) {
1334 found_pub_static = true;
1335 intravisit::walk_impl_item(self, impl_item);
1338 hir::ImplItemKind::Method(ref sig, _) => {
1339 if sig.explicit_self.node == hir::SelfStatic &&
1340 self.item_is_public(&impl_item.id, impl_item.vis) {
1341 found_pub_static = true;
1342 intravisit::walk_impl_item(self, impl_item);
1348 if found_pub_static {
1349 intravisit::walk_generics(self, g)
1355 // `type ... = ...;` can contain private types, because
1356 // we're introducing a new name.
1357 hir::ItemTy(..) => return,
1359 // not at all public, so we don't care
1360 _ if !self.item_is_public(&item.id, item.vis) => {
1367 // We've carefully constructed it so that if we're here, then
1368 // any `visit_ty`'s will be called on things that are in
1369 // public signatures, i.e. things that we're interested in for
1371 debug!("VisiblePrivateTypesVisitor entering item {:?}", item);
1372 intravisit::walk_item(self, item);
1375 fn visit_generics(&mut self, generics: &hir::Generics) {
1376 for ty_param in generics.ty_params.iter() {
1377 for bound in ty_param.bounds.iter() {
1378 self.check_ty_param_bound(bound)
1381 for predicate in &generics.where_clause.predicates {
1383 &hir::WherePredicate::BoundPredicate(ref bound_pred) => {
1384 for bound in bound_pred.bounds.iter() {
1385 self.check_ty_param_bound(bound)
1388 &hir::WherePredicate::RegionPredicate(_) => {}
1389 &hir::WherePredicate::EqPredicate(ref eq_pred) => {
1390 self.visit_ty(&*eq_pred.ty);
1396 fn visit_foreign_item(&mut self, item: &hir::ForeignItem) {
1397 if self.access_levels.is_reachable(item.id) {
1398 intravisit::walk_foreign_item(self, item)
1402 fn visit_ty(&mut self, t: &hir::Ty) {
1403 debug!("VisiblePrivateTypesVisitor checking ty {:?}", t);
1404 if let hir::TyPath(_, ref p) = t.node {
1405 if !self.tcx.sess.features.borrow().visible_private_types &&
1406 self.path_is_private_type(t.id) {
1407 span_err!(self.tcx.sess, p.span, E0446,
1408 "private type in exported type signature");
1411 intravisit::walk_ty(self, t)
1414 fn visit_variant(&mut self, v: &hir::Variant, g: &hir::Generics, item_id: ast::NodeId) {
1415 if self.access_levels.is_reachable(v.node.data.id()) {
1416 self.in_variant = true;
1417 intravisit::walk_variant(self, v, g, item_id);
1418 self.in_variant = false;
1422 fn visit_struct_field(&mut self, s: &hir::StructField) {
1423 let vis = match s.node.kind {
1424 hir::NamedField(_, vis) | hir::UnnamedField(vis) => vis
1426 if vis == hir::Public || self.in_variant {
1427 intravisit::walk_struct_field(self, s);
1431 // we don't need to introspect into these at all: an
1432 // expression/block context can't possibly contain exported things.
1433 // (Making them no-ops stops us from traversing the whole AST without
1434 // having to be super careful about our `walk_...` calls above.)
1435 // FIXME(#29524): Unfortunately this ^^^ is not true, blocks can contain
1436 // exported items (e.g. impls) and actual code in rustc itself breaks
1437 // if we don't traverse blocks in `EmbargoVisitor`
1438 fn visit_block(&mut self, _: &hir::Block) {}
1439 fn visit_expr(&mut self, _: &hir::Expr) {}
1442 pub fn check_crate(tcx: &ty::ctxt,
1443 export_map: &def::ExportMap,
1444 external_exports: ExternalExports)
1446 let krate = tcx.map.krate();
1448 // Sanity check to make sure that all privacy usage and controls are
1450 let mut visitor = SanePrivacyVisitor {
1454 intravisit::walk_crate(&mut visitor, krate);
1456 // Figure out who everyone's parent is
1457 let mut visitor = ParentVisitor {
1460 curparent: ast::DUMMY_NODE_ID,
1462 intravisit::walk_crate(&mut visitor, krate);
1464 // Use the parent map to check the privacy of everything
1465 let mut visitor = PrivacyVisitor {
1466 curitem: ast::DUMMY_NODE_ID,
1469 parents: visitor.parents,
1470 external_exports: external_exports,
1472 intravisit::walk_crate(&mut visitor, krate);
1474 tcx.sess.abort_if_errors();
1476 // Build up a set of all exported items in the AST. This is a set of all
1477 // items which are reachable from external crates based on visibility.
1478 let mut visitor = EmbargoVisitor {
1480 export_map: export_map,
1481 access_levels: Default::default(),
1482 prev_level: Some(AccessLevel::Public),
1486 intravisit::walk_crate(&mut visitor, krate);
1487 if visitor.changed {
1488 visitor.changed = false;
1493 visitor.update(ast::CRATE_NODE_ID, Some(AccessLevel::Public));
1495 let EmbargoVisitor { access_levels, .. } = visitor;
1498 let mut visitor = VisiblePrivateTypesVisitor {
1500 access_levels: &access_levels,
1503 intravisit::walk_crate(&mut visitor, krate);
1509 __build_diagnostic_array! { librustc_privacy, DIAGNOSTICS }