Trait object allowed to escape its lifetime

[brandonw]

Updated description

This code should be rejected from the compiler, but it is not:

trait Foo {}

struct A;

impl Foo for A {}

impl Drop for A {
    fn drop(&mut self) { println!("dropping"); }
}

struct B<'a>(&'a Foo);

fn foo<'a>(a: &Foo) -> B<'a> { B(a) }

fn main() {
    let _test = foo(&A);
    println!("test");
}

Original Issue

Crash when reading from stdin

Depending on whether you let the compiler infer traits for you or not, you can make a program reading input from stdin crash in a couple different ways.

Repro here: https://gist.github.com/brandonw/3a3d040b7c6213740794

[alexcrichton]

Can you provide some contextual information such as rustc version and platform you're running on? I cannot reproduce the segfault you've mentioned on either OSX or ubuntu.

[BurntSushi]

This fails: https://gist.github.com/1f36060fd4e533ae0d8b (I'm surprised this one compiles actually.)

So does this: https://gist.github.com/6ee5ffe1de090ff3a2d0

Version:

[andrew@Liger ~] rustc --version
rustc 0.11.0-pre (3da5a5c 2014-05-17 05:06:27 -0700)
host: x86_64-unknown-linux-gnu

[BurntSushi]

Try with:

rustc scratch.rs
echo test | ./scratch

[brandonw]

Alex,

Sorry if I didn't make it clear enough. The gist has the working version uncommented, and the bug code is actually commented out. That was probably a poor decision on my part.

[alexcrichton]

Updating to a more minimal description. Nominating and cc @nikomatsakis

[alexcrichton]

It appears the bug is that the argument taken in the buggy examples is &mut std::io::Reader instead of &'a mut std::io::Reader

[huonw]

Seems similar/identical to #5723, #9745 and/or #11971.

[brandonw]

Is it relevant that different errors would be encountered based on whether you piped data in or not? Or is that a red herring?

The assertion error is encountered in the original gist if you pipe data in, while if you do not pipe data in then the program segfaults before exiting.

[alexcrichton]

The problem appears to be that the I/O object is being dropped, and then being used. This basically amounts to use-after-free, and LLVM optimizations can do really weird things to that, causing segfaults/asserts and whatnot.

[edwardw]

The root cause lies in variance.rs#L744-L748, where the lifetime parameter of a possible trait reference should be accounted for but isn't. The fix is rather straightforward and had been tried before, but unfortunately never landed. It invalidates json.rs#L379-L388.

BTW, with that fix rustc does reject the code in question:

// error: cannot infer an appropriate lifetime
fn foo<'a>(a: &Foo) -> B<'a> { B(a) }

[edwardw]

The #12470 shares the same root cause with this one, but they are manifested in quite different ways. I'd suggest to keep both tickets open and since #12470 has been tagged as 1.0 milestone so probably this one doesn't need to.

[pnkfelix]

Treating as dupe of #12470. Removing I-nominated tag; it should be treated with whatever severity #12470 is.

(And if someone can convince me that the code example here adds no value beyond what is documented in #12470, then maybe we should close this.)