1 // Copyright 2014-2015 The Rust Project Developers. See the COPYRIGHT
2 // file at the top-level directory of this distribution and at
3 // http://rust-lang.org/COPYRIGHT.
5 // Licensed under the Apache License, Version 2.0 <LICENSE-APACHE or
6 // http://www.apache.org/licenses/LICENSE-2.0> or the MIT license
7 // <LICENSE-MIT or http://opensource.org/licenses/MIT>, at your
8 // option. This file may not be copied, modified, or distributed
9 // except according to those terms.
11 use check::regionck::{self, Rcx};
13 use middle::def_id::{DefId, LOCAL_CRATE};
16 use middle::subst::{self, Subst};
17 use middle::ty::{self, Ty};
18 use util::nodemap::FnvHashSet;
21 use syntax::codemap::{self, Span};
22 use syntax::parse::token::special_idents;
24 /// check_drop_impl confirms that the Drop implementation identfied by
25 /// `drop_impl_did` is not any more specialized than the type it is
26 /// attached to (Issue #8142).
30 /// 1. The self type must be nominal (this is already checked during
33 /// 2. The generic region/type parameters of the impl's self-type must
34 /// all be parameters of the Drop impl itself (i.e. no
35 /// specialization like `impl Drop for Foo<i32>`), and,
37 /// 3. Any bounds on the generic parameters must be reflected in the
38 /// struct/enum definition for the nominal type itself (i.e.
39 /// cannot do `struct S<T>; impl<T:Clone> Drop for S<T> { ... }`).
41 pub fn check_drop_impl(tcx: &ty::ctxt, drop_impl_did: DefId) -> Result<(), ()> {
42 let ty::TypeScheme { generics: ref dtor_generics,
43 ty: dtor_self_type } = tcx.lookup_item_type(drop_impl_did);
44 let dtor_predicates = tcx.lookup_predicates(drop_impl_did);
45 match dtor_self_type.sty {
46 ty::TyEnum(adt_def, self_to_impl_substs) |
47 ty::TyStruct(adt_def, self_to_impl_substs) => {
48 try!(ensure_drop_params_and_item_params_correspond(tcx,
54 ensure_drop_predicates_are_implied_by_item_defn(tcx,
61 // Destructors only work on nominal types. This was
62 // already checked by coherence, so we can panic here.
63 let span = tcx.map.def_id_span(drop_impl_did, codemap::DUMMY_SP);
65 span, &format!("should have been rejected by coherence check: {}",
71 fn ensure_drop_params_and_item_params_correspond<'tcx>(
74 drop_impl_generics: &ty::Generics<'tcx>,
75 drop_impl_ty: &ty::Ty<'tcx>,
76 self_type_did: DefId) -> Result<(), ()>
78 // New strategy based on review suggestion from nikomatsakis.
80 // (In the text and code below, "named" denotes "struct/enum", and
81 // "generic params" denotes "type and region params")
83 // 1. Create fresh skolemized type/region "constants" for each of
84 // the named type's generic params. Instantiate the named type
85 // with the fresh constants, yielding `named_skolem`.
87 // 2. Create unification variables for each of the Drop impl's
88 // generic params. Instantiate the impl's Self's type with the
89 // unification-vars, yielding `drop_unifier`.
91 // 3. Attempt to unify Self_unif with Type_skolem. If unification
92 // succeeds, continue (i.e. with the predicate checks).
94 let ty::TypeScheme { generics: ref named_type_generics,
96 tcx.lookup_item_type(self_type_did);
98 let infcx = infer::new_infer_ctxt(tcx, &tcx.tables, None, false);
100 infcx.commit_if_ok(|snapshot| {
101 let (named_type_to_skolem, skol_map) =
102 infcx.construct_skolemized_subst(named_type_generics, snapshot);
103 let named_type_skolem = named_type.subst(tcx, &named_type_to_skolem);
105 let drop_impl_span = tcx.map.def_id_span(drop_impl_did, codemap::DUMMY_SP);
106 let drop_to_unifier =
107 infcx.fresh_substs_for_generics(drop_impl_span, drop_impl_generics);
108 let drop_unifier = drop_impl_ty.subst(tcx, &drop_to_unifier);
110 if let Ok(()) = infer::mk_eqty(&infcx, true, infer::TypeOrigin::Misc(drop_impl_span),
111 named_type_skolem, drop_unifier) {
112 // Even if we did manage to equate the types, the process
113 // may have just gathered unsolvable region constraints
114 // like `R == 'static` (represented as a pair of subregion
115 // constraints) for some skolemization constant R.
117 // However, the leak_check method allows us to confirm
118 // that no skolemized regions escaped (i.e. were related
119 // to other regions in the constraint graph).
120 if let Ok(()) = infcx.leak_check(&skol_map, snapshot) {
125 span_err!(tcx.sess, drop_impl_span, E0366,
126 "Implementations of Drop cannot be specialized");
127 let item_span = tcx.map.span(self_type_did.node);
128 tcx.sess.span_note(item_span,
129 "Use same sequence of generic type and region \
130 parameters that is on the struct/enum definition");
135 /// Confirms that every predicate imposed by dtor_predicates is
136 /// implied by assuming the predicates attached to self_type_did.
137 fn ensure_drop_predicates_are_implied_by_item_defn<'tcx>(
138 tcx: &ty::ctxt<'tcx>,
139 drop_impl_did: DefId,
140 dtor_predicates: &ty::GenericPredicates<'tcx>,
141 self_type_did: DefId,
142 self_to_impl_substs: &subst::Substs<'tcx>) -> Result<(), ()> {
144 // Here is an example, analogous to that from
145 // `compare_impl_method`.
147 // Consider a struct type:
149 // struct Type<'c, 'b:'c, 'a> {
150 // x: &'a Contents // (contents are irrelevant;
151 // y: &'c Cell<&'b Contents>, // only the bounds matter for our purposes.)
156 // impl<'z, 'y:'z, 'x:'y> Drop for P<'z, 'y, 'x> {
157 // fn drop(&mut self) { self.y.set(self.x); } // (only legal if 'x: 'y)
160 // We start out with self_to_impl_substs, that maps the generic
161 // parameters of Type to that of the Drop impl.
163 // self_to_impl_substs = {'c => 'z, 'b => 'y, 'a => 'x}
165 // Applying this to the predicates (i.e. assumptions) provided by the item
166 // definition yields the instantiated assumptions:
170 // We then check all of the predicates of the Drop impl:
174 // and ensure each is in the list of instantiated
175 // assumptions. Here, `'y:'z` is present, but `'x:'y` is
176 // absent. So we report an error that the Drop impl injected a
177 // predicate that is not present on the struct definition.
179 assert_eq!(self_type_did.krate, LOCAL_CRATE);
181 let drop_impl_span = tcx.map.def_id_span(drop_impl_did, codemap::DUMMY_SP);
183 // We can assume the predicates attached to struct/enum definition
185 let generic_assumptions = tcx.lookup_predicates(self_type_did);
187 let assumptions_in_impl_context = generic_assumptions.instantiate(tcx, &self_to_impl_substs);
188 assert!(assumptions_in_impl_context.predicates.is_empty_in(subst::SelfSpace));
189 assert!(assumptions_in_impl_context.predicates.is_empty_in(subst::FnSpace));
190 let assumptions_in_impl_context =
191 assumptions_in_impl_context.predicates.get_slice(subst::TypeSpace);
193 // An earlier version of this code attempted to do this checking
194 // via the traits::fulfill machinery. However, it ran into trouble
195 // since the fulfill machinery merely turns outlives-predicates
196 // 'a:'b and T:'b into region inference constraints. It is simpler
197 // just to look for all the predicates directly.
199 assert!(dtor_predicates.predicates.is_empty_in(subst::SelfSpace));
200 assert!(dtor_predicates.predicates.is_empty_in(subst::FnSpace));
201 let predicates = dtor_predicates.predicates.get_slice(subst::TypeSpace);
202 for predicate in predicates {
203 // (We do not need to worry about deep analysis of type
204 // expressions etc because the Drop impls are already forced
205 // to take on a structure that is roughly a alpha-renaming of
206 // the generic parameters of the item definition.)
208 // This path now just checks *all* predicates via the direct
209 // lookup, rather than using fulfill machinery.
211 // However, it may be more efficient in the future to batch
212 // the analysis together via the fulfill , rather than the
213 // repeated `contains` calls.
215 if !assumptions_in_impl_context.contains(&predicate) {
216 let item_span = tcx.map.span(self_type_did.node);
217 span_err!(tcx.sess, drop_impl_span, E0367,
218 "The requirement `{}` is added only by the Drop impl.", predicate);
219 tcx.sess.span_note(item_span,
220 "The same requirement must be part of \
221 the struct/enum definition");
225 if tcx.sess.has_errors() {
231 /// check_safety_of_destructor_if_necessary confirms that the type
232 /// expression `typ` conforms to the "Drop Check Rule" from the Sound
233 /// Generic Drop (RFC 769).
237 /// The Drop Check Rule is the following:
239 /// Let `v` be some value (either temporary or named) and 'a be some
240 /// lifetime (scope). If the type of `v` owns data of type `D`, where
242 /// * (1.) `D` has a lifetime- or type-parametric Drop implementation, and
243 /// * (2.) the structure of `D` can reach a reference of type `&'a _`, and
245 /// * (A.) the Drop impl for `D` instantiates `D` at 'a directly,
246 /// i.e. `D<'a>`, or,
247 /// * (B.) the Drop impl for `D` has some type parameter with a
248 /// trait bound `T` where `T` is a trait that has at least
251 /// then 'a must strictly outlive the scope of v.
255 /// This function is meant to by applied to the type for every
256 /// expression in the program.
257 pub fn check_safety_of_destructor_if_necessary<'a, 'tcx>(rcx: &mut Rcx<'a, 'tcx>,
260 scope: region::CodeExtent) {
261 debug!("check_safety_of_destructor_if_necessary typ: {:?} scope: {:?}",
264 let parent_scope = rcx.tcx().region_maps.opt_encl_scope(scope).unwrap_or_else(|| {
265 rcx.tcx().sess.span_bug(
266 span, &format!("no enclosing scope found for scope: {:?}", scope))
269 let result = iterate_over_potentially_unsafe_regions_in_type(
273 parent_scope: parent_scope,
274 breadcrumbs: FnvHashSet()
281 Err(Error::Overflow(ref ctxt, ref detected_on_typ)) => {
283 span_err!(tcx.sess, span, E0320,
284 "overflow while adding drop-check rules for {}", typ);
286 TypeContext::Root => {
287 // no need for an additional note if the overflow
288 // was somehow on the root.
290 TypeContext::ADT { def_id, variant, field, field_index } => {
291 let adt = tcx.lookup_adt_def(def_id);
292 let variant_name = match adt.adt_kind() {
293 ty::AdtKind::Enum => format!("enum {} variant {}",
294 tcx.item_path_str(def_id),
296 ty::AdtKind::Struct => format!("struct {}",
297 tcx.item_path_str(def_id))
299 let field_name = if field == special_idents::unnamed_field.name {
300 format!("#{}", field_index)
302 format!("`{}`", field)
307 "overflowed on {} field {} type: {}",
318 Overflow(TypeContext, ty::Ty<'tcx>),
321 #[derive(Copy, Clone)]
332 struct DropckContext<'a, 'b: 'a, 'tcx: 'b> {
333 rcx: &'a mut Rcx<'b, 'tcx>,
334 /// types that have already been traversed
335 breadcrumbs: FnvHashSet<Ty<'tcx>>,
336 /// span for error reporting
338 /// the scope reachable dtorck types must outlive
339 parent_scope: region::CodeExtent
342 // `context` is used for reporting overflow errors
343 fn iterate_over_potentially_unsafe_regions_in_type<'a, 'b, 'tcx>(
344 cx: &mut DropckContext<'a, 'b, 'tcx>,
345 context: TypeContext,
347 depth: usize) -> Result<(), Error<'tcx>>
349 let tcx = cx.rcx.tcx();
350 // Issue #22443: Watch out for overflow. While we are careful to
351 // handle regular types properly, non-regular ones cause problems.
352 let recursion_limit = tcx.sess.recursion_limit.get();
353 if depth / 4 >= recursion_limit {
354 // This can get into rather deep recursion, especially in the
355 // presence of things like Vec<T> -> Unique<T> -> PhantomData<T> -> T.
356 // use a higher recursion limit to avoid errors.
357 return Err(Error::Overflow(context, ty))
360 if !cx.breadcrumbs.insert(ty) {
361 debug!("iterate_over_potentially_unsafe_regions_in_type \
362 {}ty: {} scope: {:?} - cached",
363 (0..depth).map(|_| ' ').collect::<String>(),
364 ty, cx.parent_scope);
365 return Ok(()); // we already visited this type
367 debug!("iterate_over_potentially_unsafe_regions_in_type \
368 {}ty: {} scope: {:?}",
369 (0..depth).map(|_| ' ').collect::<String>(),
370 ty, cx.parent_scope);
372 // If `typ` has a destructor, then we must ensure that all
373 // borrowed data reachable via `typ` must outlive the parent
374 // of `scope`. This is handled below.
376 // However, there is an important special case: by
377 // parametricity, any generic type parameters have *no* trait
378 // bounds in the Drop impl can not be used in any way (apart
379 // from being dropped), and thus we can treat data borrowed
380 // via such type parameters remains unreachable.
382 // For example, consider `impl<T> Drop for Vec<T> { ... }`,
383 // which does have to be able to drop instances of `T`, but
384 // otherwise cannot read data from `T`.
386 // Of course, for the type expression passed in for any such
387 // unbounded type parameter `T`, we must resume the recursive
388 // analysis on `T` (since it would be ignored by
389 // type_must_outlive).
391 // FIXME (pnkfelix): Long term, we could be smart and actually
392 // feed which generic parameters can be ignored *into* `fn
393 // type_must_outlive` (or some generalization thereof). But
394 // for the short term, it probably covers most cases of
395 // interest to just special case Drop impls where: (1.) there
396 // are no generic lifetime parameters and (2.) *all* generic
397 // type parameters are unbounded. If both conditions hold, we
398 // simply skip the `type_must_outlive` call entirely (but
399 // resume the recursive checking of the type-substructure).
400 if has_dtor_of_interest(tcx, ty) {
401 debug!("iterate_over_potentially_unsafe_regions_in_type \
402 {}ty: {} - is a dtorck type!",
403 (0..depth).map(|_| ' ').collect::<String>(),
406 regionck::type_must_outlive(cx.rcx,
407 infer::SubregionOrigin::SafeDestructor(cx.span),
409 ty::ReScope(cx.parent_scope));
414 debug!("iterate_over_potentially_unsafe_regions_in_type \
415 {}ty: {} scope: {:?} - checking interior",
416 (0..depth).map(|_| ' ').collect::<String>(),
417 ty, cx.parent_scope);
419 // We still need to ensure all referenced data is safe.
421 ty::TyBool | ty::TyChar | ty::TyInt(_) | ty::TyUint(_) |
422 ty::TyFloat(_) | ty::TyStr => {
423 // primitive - definitely safe
427 ty::TyBox(ity) | ty::TyArray(ity, _) | ty::TySlice(ity) => {
428 // single-element containers, behave like their element
429 iterate_over_potentially_unsafe_regions_in_type(
430 cx, context, ity, depth+1)
433 ty::TyStruct(def, substs) if def.is_phantom_data() => {
434 // PhantomData<T> - behaves identically to T
435 let ity = *substs.types.get(subst::TypeSpace, 0);
436 iterate_over_potentially_unsafe_regions_in_type(
437 cx, context, ity, depth+1)
440 ty::TyStruct(def, substs) | ty::TyEnum(def, substs) => {
442 for variant in &def.variants {
443 for (i, field) in variant.fields.iter().enumerate() {
444 let fty = field.ty(tcx, substs);
445 let fty = cx.rcx.fcx.resolve_type_vars_if_possible(
446 cx.rcx.fcx.normalize_associated_types_in(cx.span, &fty));
447 try!(iterate_over_potentially_unsafe_regions_in_type(
452 variant: variant.name,
462 ty::TyTuple(ref tys) |
463 ty::TyClosure(_, box ty::ClosureSubsts { upvar_tys: ref tys, .. }) => {
465 try!(iterate_over_potentially_unsafe_regions_in_type(
466 cx, context, ty, depth+1))
471 ty::TyRawPtr(..) | ty::TyRef(..) | ty::TyParam(..) => {
472 // these always come with a witness of liveness (references
473 // explicitly, pointers implicitly, parameters by the
478 ty::TyBareFn(..) => {
479 // FIXME(#26656): this type is always destruction-safe, but
480 // it implicitly witnesses Self: Fn, which can be false.
484 ty::TyInfer(..) | ty::TyError => {
485 tcx.sess.delay_span_bug(cx.span, "unresolved type in regionck");
489 // these are always dtorck
490 ty::TyTrait(..) | ty::TyProjection(_) => unreachable!(),
494 fn has_dtor_of_interest<'tcx>(tcx: &ty::ctxt<'tcx>,
495 ty: ty::Ty<'tcx>) -> bool {
497 ty::TyEnum(def, _) | ty::TyStruct(def, _) => {
500 ty::TyTrait(..) | ty::TyProjection(..) => {
501 debug!("ty: {:?} isn't known, and therefore is a dropck type", ty);
projects / rust.git / blob