Compiler accepts return mut ref to local var on no longer valid stackframe

[CasualX]

Spotted on reddit: https://www.reddit.com/r/rust/comments/7i64sy/safe_function_returns_static_mut/
credit to jDomantas

I tried this code: playground

fn gimme_static_mut() -> &'static mut u32 {
    let ref mut x = 1234543;
    x
}

fn main() {
    let x = gimme_static_mut();
    let y = gimme_static_mut();
    *y = 42;
    let a = *x;
    println!("a: {}", a);
}

This is accepted by the compiler and prints 42.

I expected to see this happen: The program should be rejected by the compiler with a lifetime error

Instead this happened: The program was accepted and miscompiled badly

The assembly code clearly demonstrates the problem, a local variable is created for the literal, its address is taken and returned:

playground::gimme_static_mut:
.Lfunc_begin2:
	push	rbp
.Lcfi6:
.Lcfi7:
	mov	rbp, rsp
.Lcfi8:
	sub	rsp, 16
	lea	rax, [rbp - 4]
.Ltmp6:
	mov	dword ptr [rbp - 4], 1234543
	mov	qword ptr [rbp - 16], rax
	mov	rax, qword ptr [rbp - 16]
.Ltmp7:
	add	rsp, 16
	pop	rbp
	ret
.Ltmp8:
.Lfunc_end2:

Meta

Latest version on playground

[collares]

This program is rejected by rustc 1.20.0, but is accepted by rustc 1.21.0. Bisecting now.

[skade]

@mauricioc This is due to #38865. It wasn't a feature in 1.20. 1.20 also doesn't compile the immutable (safe) variant:

fn gimme_static() -> &'static u32 {
    let ref x = 1234543;
    x
}

[CasualX]

An alternative way to define gimme_static_mut:

fn gimme_static_mut() -> &'static mut u32 {
    let x = &mut 1234543;
    x
}

Gives the expected compiler error:

   Compiling playground v0.0.1 (file:///playground)
error[E0597]: borrowed value does not live long enough
 --> src/main.rs:2:18
  |
2 |     let x = &mut 1234543;
  |                  ^^^^^^^ does not live long enough
3 |     x
4 | }
  | - temporary value only lives until here
  |
  = note: borrowed value must be valid for the static lifetime...

error: aborting due to previous error

error: Could not compile `playground`.

To learn more, run the command again with --verbose.

Looks like an oversight with the ref mut pattern match syntax to capture the literal by reference.

[nikomatsakis]

Fixed by MIR borrowck.

[shepmaster]

Fixed by MIR borrowck.

Which isn't enabled in Rust 1.23 beta, so we still need to fix this in some other fashion for the next release, correct?

[bstrie]

I see that Niko has commented though I don't see a priority assigned yet, so nominating for completeness.

[shepmaster]

This issue continues to ship in stable Rust 1.23

[nikomatsakis]

My expectation is that this will be fixed (along with a number of other bugs) when we transition to the MIR-based borrow checker (and NLL). I guess it's worth discussing whether we feel we ought to try to fix faster than that.