Unconstrained lifetime in associated type using trait object leads to unsound lifetime extension and ICE

[konnorandrews]

I was playing around with defining higher ranked types using trait objects and tried the following pattern.

trait A<T>: B<T = T> {}

trait B {
    type T;
}

To my surprise trait objects of the form dyn for<'a> A<&'a T> were allowed. After some experimentation I found that this leads to UB in safe rust.

trait A<T>: B<T = T> {}

trait B {
    type T;
}

struct Erase<T: ?Sized + B>(T::T);

fn main() {
    let x = {
        let x = String::from("hello");
        
        Erase::<dyn for<'a> A<&'a _>>(x.as_str())
    };
    
    dbg!(x.0);
}

[src/main.rs:16:5] x.0 = "\0\0\0\0\0"

playground

This is likely related to 25860 somehow, but I haven't seen this flavor before.

Meta

This effects all versions from latest nightly to 1.33.0 (on 1.32.0 it causes a ICE, and before it wasn't allowed).

[konnorandrews]

@rustbot labels +I-unsound

[theemathas]

Another variant:

#![feature(type_alias_impl_trait)]

trait A<T>: B<T = T> {}

trait B {
    type T;
}

struct Erase<T: ?Sized + B>(T::T);

type Alias = impl for<'a> A<&'a str> + ?Sized;

fn conjure() -> &'static dyn for<'a> A<&'a str> {
    unimplemented!()
}

fn dummy() -> &'static Alias {
    conjure()
}

fn main() {
    let x = {
        let x = String::from("hello");
        
        Erase::<Alias>(x.as_str())
    };
    
    dbg!(x.0);
}

[konnorandrews]

With more testing the struct type

struct Erase<T: ?Sized + B>(T::T);

is important for this issue to be seen. Rustc seems to not have a consistent lifetime given to the .0 field so it's free to unify with whatever it needs to.

[konnorandrews]

Obligatory lifetime transmute example.

fn make_static<'a, 'b, T: ?Sized>(x: &'a T) -> &'b T {
    trait A<T>: B<T = T> {}
    
    trait B {
        type T;
    }
    
    struct Erase<T: ?Sized + B>(T::T);

    Erase::<dyn for<'c> A<&'c T>>(x).0
}

fn main() {
    let s = {
        make_static(String::from("hello").as_str())
    };
    
    dbg!(s);
}

[theemathas]

A variant that doesn't use the Erase struct

trait A<T>: B<T = T> {}

trait B {
    type T;
}

fn foo(a: <dyn for<'a> A<&'a str> as B>::T) -> &'static str {
    a
}

fn main() {
    let x = foo(String::from("hello").as_str());
    dbg!(x);
}

[theemathas]

Also works the other way around:

trait A<T>: B<T = T> {}

trait B {
    type T;
}

fn foo<'b>(a: &'b str) -> <dyn for<'a> A<&'a str> as B>::T {
    a
}

fn main() {
    let x = foo(String::from("hello").as_str());
    dbg!(x);
}

[konnorandrews]

The function seems to play the same role of allowing rustc a space to have an undefined lifetime it can assign to anything.

[konnorandrews]

More experimentation resulted in a ICE.

trait A<'a, T: 'a>: B<T, T = &'a T> {
    
}

trait B<U> {
    type T;
}

type Magic<T> = <dyn for<'a> A<'a, T> as B<T>>::T;

fn make_static<'b, T: ?Sized>(a: Magic<T>) -> &'b T {
    a
}

fn main() {
    let x = make_static(String::from("hello").as_str());
    dbg!(x);
}

note: no errors encountered even though delayed bugs were created

note: those delayed bugs will now be shown as internal compiler errors

error: internal compiler error: error performing operation: fully_perform
  --> src/main.rs:16:13
   |
16 |     let x = make_static(String::from("hello").as_str());
   |             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   |
note: delayed at /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c/compiler/rustc_trait_selection/src/traits/query/type_op/custom.rs:85:25 - disabled backtrace
  --> src/main.rs:16:13
   |
16 |     let x = make_static(String::from("hello").as_str());
   |             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

note: we would appreciate a bug report: https://github.com/rust-lang/rust/issues/new?labels=C-bug%2C+I-ICE%2C+T-compiler&template=ice.md

note: rustc 1.81.0 (eeb90cda1 2024-09-04) running on x86_64-unknown-linux-gnu

note: compiler flags: --crate-type bin -C embed-bitcode=no -C codegen-units=1 -C debuginfo=2

note: some of the compiler flags provided by cargo are hidden

query stack during panic:
end of query stack