make accesses to fields of packed structs unsafe

To handle packed structs with destructors (which you'll think are a rare
case, but the `#[repr(packed)] struct Packed<T>(T);` pattern is
ever-popular, which requires handling packed structs with destructors to
avoid monomorphization-time errors), drops of subfields of packed
structs should drop a local move of the field instead of the original
one.

cc #27060 - this should deal with that issue after codegen of drop glue
is updated.

The new errors need to be changed to future-compatibility warnings, but
I'll rather do a crater run first with them as errors to assess the
impact.

Author: arielb1

src/librustc_mir/transform/check_unsafety.rs

@@ -12,7 +12,7 @@ use rustc_data_structures::fx::FxHashSet;
 use rustc_data_structures::indexed_vec::IndexVec;
 
 use rustc::ty::maps::Providers;
-use rustc::ty::{self, TyCtxt};
+use rustc::ty::{self, Ty, TyCtxt};
 use rustc::hir;
 use rustc::hir::def::Def;
 use rustc::hir::def_id::DefId;
@@ -31,6 +31,9 @@ pub struct UnsafetyChecker<'a, 'tcx: 'a> {
     visibility_scope_info: &'a IndexVec<VisibilityScope, VisibilityScopeInfo>,
     violations: Vec<UnsafetyViolation>,
     source_info: SourceInfo,
+    // true if an a part of this *memory block* of this expression
+    // is being borrowed, used for repr(packed) checking.
+    need_check_packed: bool,
     tcx: TyCtxt<'a, 'tcx, 'tcx>,
     param_env: ty::ParamEnv<'tcx>,
     used_unsafe: FxHashSet<ast::NodeId>,
@@ -51,6 +54,7 @@ impl<'a, 'gcx, 'tcx> UnsafetyChecker<'a, 'tcx> {
             },
             tcx,
             param_env,
+            need_check_packed: false,
             used_unsafe: FxHashSet(),
         }
     }
@@ -130,6 +134,14 @@ impl<'a, 'tcx> Visitor<'tcx> for UnsafetyChecker<'a, 'tcx> {
                     lvalue: &Lvalue<'tcx>,
                     context: LvalueContext<'tcx>,
                     location: Location) {
+        let old_need_check_packed = self.need_check_packed;
+        if let LvalueContext::Borrow { .. } = context {
+            let ty = lvalue.ty(self.mir, self.tcx).to_ty(self.tcx);
+            if !self.has_align_1(ty) {
+                self.need_check_packed = true;
+            }
+        }
+
         match lvalue {
             &Lvalue::Projection(box Projection {
                 ref base, ref elem
@@ -143,31 +155,39 @@ impl<'a, 'tcx> Visitor<'tcx> for UnsafetyChecker<'a, 'tcx> {
                         self.source_info = self.mir.local_decls[local].source_info;
                     }
                 }
+                if let &ProjectionElem::Deref = elem {
+                    self.need_check_packed = false;
+                }
                 let base_ty = base.ty(self.mir, self.tcx).to_ty(self.tcx);
                 match base_ty.sty {
                     ty::TyRawPtr(..) => {
                         self.require_unsafe("dereference of raw pointer")
                     }
-                    ty::TyAdt(adt, _) if adt.is_union() => {
-                        if context == LvalueContext::Store ||
-                            context == LvalueContext::Drop
-                        {
-                            let elem_ty = match elem {
-                                &ProjectionElem::Field(_, ty) => ty,
-                                _ => span_bug!(
-                                    self.source_info.span,
-                                    "non-field projection {:?} from union?",
-                                    lvalue)
-                            };
-                            if elem_ty.moves_by_default(self.tcx, self.param_env,
-                                                        self.source_info.span) {
-                                self.require_unsafe(
-                                    "assignment to non-`Copy` union field")
+                    ty::TyAdt(adt, _) => {
+                        if adt.is_union() {
+                            if context == LvalueContext::Store ||
+                                context == LvalueContext::Drop
+                            {
+                                let elem_ty = match elem {
+                                    &ProjectionElem::Field(_, ty) => ty,
+                                    _ => span_bug!(
+                                        self.source_info.span,
+                                        "non-field projection {:?} from union?",
+                                        lvalue)
+                                };
+                                if elem_ty.moves_by_default(self.tcx, self.param_env,
+                                                            self.source_info.span) {
+                                    self.require_unsafe(
+                                        "assignment to non-`Copy` union field")
+                                } else {
+                                    // write to non-move union, safe
+                                }
                             } else {
-                                // write to non-move union, safe
+                                self.require_unsafe("access to union field")
                             }
-                        } else {
-                            self.require_unsafe("access to union field")
+                        }
+                        if adt.repr.packed() && self.need_check_packed {
+                            self.require_unsafe("borrow of packed field")
                         }
                     }
                     _ => {}
@@ -191,8 +211,9 @@ impl<'a, 'tcx> Visitor<'tcx> for UnsafetyChecker<'a, 'tcx> {
                     }]);
                 }
             }
-        }
+        };
         self.super_lvalue(lvalue, context, location);
+        self.need_check_packed = old_need_check_packed;
     }
 }
 
@@ -215,6 +236,14 @@ impl<'a, 'tcx> UnsafetyChecker<'a, 'tcx> {
             }
         }
     }
+
+    fn has_align_1(&self, ty: Ty<'tcx>) -> bool {
+        self.tcx.at(self.source_info.span)
+            .layout_raw(self.param_env.and(ty))
+            .map(|layout| layout.align(self.tcx).abi() == 1)
+            .unwrap_or(false)
+    }
+
     fn require_unsafe(&mut self,
                       description: &'static str)
     {

src/librustc_typeck/check/wfcheck.rs

@@ -14,7 +14,7 @@ use constrained_type_params::{identify_constrained_type_params, Parameter};
 
 use hir::def_id::DefId;
 use rustc::traits::{self, ObligationCauseCode};
-use rustc::ty::{self, Ty, TyCtxt};
+use rustc::ty::{self, Lift, Ty, TyCtxt};
 use rustc::util::nodemap::{FxHashSet, FxHashMap};
 use rustc::middle::lang_items;
 
@@ -223,10 +223,31 @@ impl<'a, 'gcx> CheckTypeWellFormedVisitor<'a, 'gcx> {
     {
         self.for_item(item).with_fcx(|fcx, this| {
             let variants = lookup_fields(fcx);
+            let def_id = fcx.tcx.hir.local_def_id(item.id);
+            let packed = fcx.tcx.adt_def(def_id).repr.packed();
 
             for variant in &variants {
-                // For DST, all intermediate types must be sized.
-                let unsized_len = if all_sized || variant.fields.is_empty() { 0 } else { 1 };
+                // For DST, or when drop needs to copy things around, all
+                // intermediate types must be sized.
+                let needs_drop_copy = || {
+                    packed && {
+                        let ty = variant.fields.last().unwrap().ty;
+                        let ty = fcx.tcx.erase_regions(&ty).lift_to_tcx(this.tcx)
+                            .unwrap_or_else(|| {
+                                span_bug!(item.span, "inference variables in {:?}", ty)
+                            });
+                        ty.needs_drop(this.tcx, this.tcx.param_env(def_id))
+                    }
+                };
+                let unsized_len = if
+                    all_sized ||
+                    variant.fields.is_empty() ||
+                    needs_drop_copy()
+                {
+                    0
+                } else {
+                    1
+                };
                 for field in &variant.fields[..variant.fields.len() - unsized_len] {
                     fcx.register_bound(
                         field.ty,
@@ -245,7 +266,6 @@ impl<'a, 'gcx> CheckTypeWellFormedVisitor<'a, 'gcx> {
                 }
             }
 
-            let def_id = fcx.tcx.hir.local_def_id(item.id);
             let predicates = fcx.tcx.predicates_of(def_id).instantiate_identity(fcx.tcx);
             let predicates = fcx.normalize_associated_types_in(item.span, &predicates);
             this.check_where_clauses(fcx, item.span, &predicates);

src/libsyntax_pos/span_encoding.rs

@@ -19,16 +19,30 @@ use hygiene::SyntaxContext;
 
 use rustc_data_structures::fx::FxHashMap;
 use std::cell::RefCell;
+use std::hash::{Hash, Hasher};
 
 /// A compressed span.
 /// Contains either fields of `SpanData` inline if they are small, or index into span interner.
 /// The primary goal of `Span` is to be as small as possible and fit into other structures
 /// (that's why it uses `packed` as well). Decoding speed is the second priority.
 /// See `SpanData` for the info on span fields in decoded representation.
-#[derive(Clone, Copy, PartialEq, Eq, Hash)]
+#[derive(Clone, Copy)]
 #[repr(packed)]
 pub struct Span(u32);
 
+impl PartialEq for Span {
+    #[inline]
+    fn eq(&self, other: &Self) -> bool { ({self.0}) == ({other.0}) }
+}
+
+impl Eq for Span {}
+
+impl Hash for Span {
+    fn hash<H: Hasher>(&self, s: &mut H) {
+        {self.0}.hash(s)
+    }
+}
+
 /// Dummy span, both position and length are zero, syntax context is zero as well.
 /// This span is kept inline and encoded with format 0.
 pub const DUMMY_SP: Span = Span(0);

src/test/compile-fail/issue-27060-2.rs

@@ -0,0 +1,16 @@
+// Copyright 2017 The Rust Project Developers. See the COPYRIGHT
+// file at the top-level directory of this distribution and at
+// http://rust-lang.org/COPYRIGHT.
+//
+// Licensed under the Apache License, Version 2.0 <LICENSE-APACHE or
+// http://www.apache.org/licenses/LICENSE-2.0> or the MIT license
+// <LICENSE-MIT or http://opensource.org/licenses/MIT>, at your
+// option. This file may not be copied, modified, or distributed
+// except according to those terms.
+
+#[repr(packed)]
+pub struct Bad<T: ?Sized> {
+    data: T, //~ ERROR `T: std::marker::Sized` is not satisfied
+}
+
+fn main() {}

src/test/compile-fail/issue-27060.rs

@@ -0,0 +1,40 @@
+// Copyright 2017 The Rust Project Developers. See the COPYRIGHT
+// file at the top-level directory of this distribution and at
+// http://rust-lang.org/COPYRIGHT.
+//
+// Licensed under the Apache License, Version 2.0 <LICENSE-APACHE or
+// http://www.apache.org/licenses/LICENSE-2.0> or the MIT license
+// <LICENSE-MIT or http://opensource.org/licenses/MIT>, at your
+// option. This file may not be copied, modified, or distributed
+// except according to those terms.
+
+#[repr(packed)]
+pub struct Good {
+    data: &'static u32,
+    data2: [&'static u32; 2],
+    aligned: [u8; 32],
+}
+
+#[repr(packed)]
+pub struct JustArray {
+    array: [u32]
+}
+
+fn main() {
+    let good = Good {
+        data: &0,
+        data2: [&0, &0],
+        aligned: [0; 32]
+    };
+
+    unsafe {
+        let _ = &good.data; // ok
+        let _ = &good.data2[0]; // ok
+    }
+
+    let _ = &good.data; //~ ERROR borrow of packed field requires unsafe
+    let _ = &good.data2[0]; //~ ERROR borrow of packed field requires unsafe
+    let _ = &*good.data; // ok, behind a pointer
+    let _ = &good.aligned; // ok, has align 1
+    let _ = &good.aligned[2]; // ok, has align 1
+}

src/test/run-pass/packed-struct-borrow-element.rs

@@ -17,7 +17,7 @@ struct Foo {
 
 pub fn main() {
     let foo = Foo { bar: 1, baz: 2 };
-    let brw = &foo.baz;
+    let brw = unsafe { &foo.baz };
 
     assert_eq!(*brw, 2);
 }