mikros/rust
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
rust/src/comp/middle/alias.rs

608 lines
20 KiB
Rust
Raw Normal View History

First take on an alias-safety checker The alias checker works by ensuring that any value to which an alias is created is rooted in some way that ensures it outlives the alias. It is now disallowed to create an alias to the content of a mutable box, or to a box hanging off a mutable field. There is also machinery in place to prevent assignment to local variables whenever they are the root of a live alias.
2011-06-06 15:22:13 +02:00
import front::ast;
import front::ast::ident;
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
import front::ast::def_num;
import util::common::span;
import visit::vt;
First take on an alias-safety checker The alias checker works by ensuring that any value to which an alias is created is rooted in some way that ensures it outlives the alias. It is now disallowed to create an alias to the content of a mutable box, or to a box hanging off a mutable field. There is also machinery in place to prevent assignment to local variables whenever they are the root of a live alias.
2011-06-06 15:22:13 +02:00
import std::vec;
import std::str;
import std::option;
import std::option::some;
import std::option::none;
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
import std::option::is_none;
First take on an alias-safety checker The alias checker works by ensuring that any value to which an alias is created is rooted in some way that ensures it outlives the alias. It is now disallowed to create an alias to the content of a mutable box, or to a box hanging off a mutable field. There is also machinery in place to prevent assignment to local variables whenever they are the root of a live alias.
2011-06-06 15:22:13 +02:00
Extend alias analysis to check assignments This is a somewhat odd place to put these checks, but the data tracked by that pass, and the available functions, make it trivial to do such a check there.
2011-06-15 12:17:37 +02:00
// This is not an alias-analyser (though it would merit from becoming one, or
// at getting input from one, to be more precise). It is a pass that checks
// whether aliases are used in a safe way. Beyond that, though it doesn't have
// a lot to do with aliases, it also checks whether assignments are valid
// (using an lval, which is actually mutable), since it already has all the
// information needed to do that (and the typechecker, which would be a
// logical place for such a check, doesn't).
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
tag valid {
valid;
overwritten(span, ast::path);
val_taken(span, ast::path);
First take on an alias-safety checker The alias checker works by ensuring that any value to which an alias is created is rooted in some way that ensures it outlives the alias. It is now disallowed to create an alias to the content of a mutable box, or to a box hanging off a mutable field. There is also machinery in place to prevent assignment to local variables whenever they are the root of a live alias.
2011-06-06 15:22:13 +02:00
}
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
type restrict = @rec(vec[def_num] root_vars,
def_num block_defnum,
vec[def_num] bindings,
vec[ty::t] tys,
Properly handle lifetime of aliases in nested blocks There was a bug that would cause the alias analyser to allow you to invalidate an alias that was no longer directly referred to, even if another alias was rooted in it. It now properly tracks dependencies between live aliases. Required another case of copying values in map.rs.
2011-06-09 14:19:13 +02:00
vec[uint] depends_on,
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
mutable valid ok);
Implement mutable/immutable alias distinction. Before, all aliases were implicitly mutable, and writing &mutable was the same as writing &. Now, the two are distinguished, and assignments to regular aliases are no longer allowed.
2011-06-10 12:03:50 +02:00
type scope = rec(vec[tup(def_num, ast::mode)] args,
vec[restrict] rs);
fn scope(&scope sc, vec[restrict] add) -> scope {
ret rec(args=sc.args, rs=sc.rs + add);
}
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
type ctx = rec(@ty::ctxt tcx,
resolve::def_map dm);
First take on an alias-safety checker The alias checker works by ensuring that any value to which an alias is created is rooted in some way that ensures it outlives the alias. It is now disallowed to create an alias to the content of a mutable box, or to a box hanging off a mutable field. There is also machinery in place to prevent assignment to local variables whenever they are the root of a live alias.
2011-06-06 15:22:13 +02:00
fn check_crate(@ty::ctxt tcx, resolve::def_map dm, &@ast::crate crate) {
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
auto cx = @rec(tcx = tcx, dm = dm);
auto v = @rec(visit_fn = visit_fn,
visit_expr = bind visit_expr(cx, _, _, _)
with *visit::default_visitor[scope]());
Implement mutable/immutable alias distinction. Before, all aliases were implicitly mutable, and writing &mutable was the same as writing &. Now, the two are distinguished, and assignments to regular aliases are no longer allowed.
2011-06-10 12:03:50 +02:00
visit::visit_crate(*crate, rec(args=[], rs=[]), visit::vtor(v));
First take on an alias-safety checker The alias checker works by ensuring that any value to which an alias is created is rooted in some way that ensures it outlives the alias. It is now disallowed to create an alias to the content of a mutable box, or to a box hanging off a mutable field. There is also machinery in place to prevent assignment to local variables whenever they are the root of a live alias.
2011-06-06 15:22:13 +02:00
}
Pass ty params to visit::visit_fn
2011-06-09 15:50:20 +02:00
fn visit_fn(&ast::_fn f, &vec[ast::ty_param] tp, &span sp, &ident name,
&ast::def_id d_id, &ast::ann a, &scope sc, &vt[scope] v) {
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
visit::visit_fn_decl(f.decl, sc, v);
Implement mutable/immutable alias distinction. Before, all aliases were implicitly mutable, and writing &mutable was the same as writing &. Now, the two are distinguished, and assignments to regular aliases are no longer allowed.
2011-06-10 12:03:50 +02:00
auto args = [];
for (ast::arg arg in f.decl.inputs) {
vec::push(args, tup(arg.id._1, arg.mode));
}
vt(v).visit_block(f.body, rec(args=args, rs=[]), v);
First take on an alias-safety checker The alias checker works by ensuring that any value to which an alias is created is rooted in some way that ensures it outlives the alias. It is now disallowed to create an alias to the content of a mutable box, or to a box hanging off a mutable field. There is also machinery in place to prevent assignment to local variables whenever they are the root of a live alias.
2011-06-06 15:22:13 +02:00
}
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
fn visit_expr(&@ctx cx, &@ast::expr ex, &scope sc, &vt[scope] v) {
auto handled = false;
First take on an alias-safety checker The alias checker works by ensuring that any value to which an alias is created is rooted in some way that ensures it outlives the alias. It is now disallowed to create an alias to the content of a mutable box, or to a box hanging off a mutable field. There is also machinery in place to prevent assignment to local variables whenever they are the root of a live alias.
2011-06-06 15:22:13 +02:00
alt (ex.node) {
case (ast::expr_call(?f, ?args, _)) {
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
check_call(*cx, f, args, sc);
}
case (ast::expr_alt(?input, ?arms, _)) {
check_alt(*cx, input, arms, sc, v);
handled = true;
First take on an alias-safety checker The alias checker works by ensuring that any value to which an alias is created is rooted in some way that ensures it outlives the alias. It is now disallowed to create an alias to the content of a mutable box, or to a box hanging off a mutable field. There is also machinery in place to prevent assignment to local variables whenever they are the root of a live alias.
2011-06-06 15:22:13 +02:00
}
case (ast::expr_put(?val, _)) {
alt (val) {
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
case (some(?ex)) {
auto root = expr_root(*cx, ex, false);
Refactor expr_root in alias.rs It was too clunky and specific before. Now returns a vec of dereference specs instead of a bunch of special-case information. Further accessors extract the information they need from this vec.
2011-06-15 11:03:23 +02:00
if (mut_field(root.ds)) {
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
cx.tcx.sess.span_err
(ex.span,
"result of put must be immutably rooted");
}
visit_expr(cx, ex, sc, v);
}
First take on an alias-safety checker The alias checker works by ensuring that any value to which an alias is created is rooted in some way that ensures it outlives the alias. It is now disallowed to create an alias to the content of a mutable box, or to a box hanging off a mutable field. There is also machinery in place to prevent assignment to local variables whenever they are the root of a live alias.
2011-06-06 15:22:13 +02:00
case (_) {}
}
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
handled = true;
}
case (ast::expr_for_each(?decl, ?call, ?block, _)) {
check_for_each(*cx, decl, call, block, sc, v);
handled = true;
First take on an alias-safety checker The alias checker works by ensuring that any value to which an alias is created is rooted in some way that ensures it outlives the alias. It is now disallowed to create an alias to the content of a mutable box, or to a box hanging off a mutable field. There is also machinery in place to prevent assignment to local variables whenever they are the root of a live alias.
2011-06-06 15:22:13 +02:00
}
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
case (ast::expr_for(?decl, ?seq, ?block, _)) {
check_for(*cx, decl, seq, block, sc, v);
handled = true;
}
case (ast::expr_path(?pt, ?ann)) {
check_var(*cx, ex, pt, ann, false, sc);
}
case (ast::expr_move(?dest, ?src, _)) {
check_assign(cx, dest, src, sc, v);
handled = true;
}
case (ast::expr_assign(?dest, ?src, _)) {
check_assign(cx, dest, src, sc, v);
handled = true;
}
case (ast::expr_assign_op(_, ?dest, ?src, _)) {
check_assign(cx, dest, src, sc, v);
handled = true;
First take on an alias-safety checker The alias checker works by ensuring that any value to which an alias is created is rooted in some way that ensures it outlives the alias. It is now disallowed to create an alias to the content of a mutable box, or to a box hanging off a mutable field. There is also machinery in place to prevent assignment to local variables whenever they are the root of a live alias.
2011-06-06 15:22:13 +02:00
}
case (_) {}
}
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
if (!handled) { visit::visit_expr(ex, sc, v); }
First take on an alias-safety checker The alias checker works by ensuring that any value to which an alias is created is rooted in some way that ensures it outlives the alias. It is now disallowed to create an alias to the content of a mutable box, or to a box hanging off a mutable field. There is also machinery in place to prevent assignment to local variables whenever they are the root of a live alias.
2011-06-06 15:22:13 +02:00
}
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
fn check_call(&ctx cx, &@ast::expr f, &vec[@ast::expr] args, &scope sc)
-> rec(vec[def_num] root_vars, vec[ty::t] unsafe_ts) {
auto fty = ty::expr_ty(*cx.tcx, f);
auto arg_ts = alt (ty::struct(*cx.tcx, fty)) {
Further support for predicate constraints Changed function types to include a list of constraints. Added code for parsing and pretty-printing constraints. This necessitated splitting pprust into two files (pprust and ppaux) to break a circulate dependency, as ty_to_str now needs to print out constraints, which may include literals, but pprust depended on ty.
2011-06-09 09:48:16 -07:00
case (ty::ty_fn(_, ?args, _, _, _)) { args }
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
case (ty::ty_native_fn(_, ?args, _)) { args }
};
let vec[def_num] roots = [];
Handle mutable references in alias analysis
2011-06-10 16:38:13 +02:00
let vec[tup(uint, def_num)] mut_roots = [];
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
let vec[ty::t] unsafe_ts = [];
let vec[uint] unsafe_t_offsets = [];
Handle mutable references in alias analysis
2011-06-10 16:38:13 +02:00
auto i = 0u;
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
for (ty::arg arg_t in arg_ts) {
if (arg_t.mode != ty::mo_val) {
Handle mutable references in alias analysis
2011-06-10 16:38:13 +02:00
auto arg = args.(i);
auto root = expr_root(cx, arg, false);
if (arg_t.mode == ty::mo_alias(true)) {
alt (path_def_id(cx, arg)) {
case (some(?did)) {
vec::push(mut_roots, tup(i, did._1));
}
case (_) {
Refactor expr_root in alias.rs It was too clunky and specific before. Now returns a vec of dereference specs instead of a bunch of special-case information. Further accessors extract the information they need from this vec.
2011-06-15 11:03:23 +02:00
if (!mut_field(root.ds)) {
Handle mutable references in alias analysis
2011-06-10 16:38:13 +02:00
cx.tcx.sess.span_err
(arg.span, "passing a temporary value or \
immutable field by mutable alias");
}
}
}
}
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
alt (path_def_id(cx, root.ex)) {
case (some(?did)) { vec::push(roots, did._1); }
case (_) {}
}
Refactor expr_root in alias.rs It was too clunky and specific before. Now returns a vec of dereference specs instead of a bunch of special-case information. Further accessors extract the information they need from this vec.
2011-06-15 11:03:23 +02:00
alt (inner_mut(root.ds)) {
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
case (some(?t)) {
vec::push(unsafe_ts, t);
vec::push(unsafe_t_offsets, i);
}
case (_) {}
}
}
i += 1u;
First take on an alias-safety checker The alias checker works by ensuring that any value to which an alias is created is rooted in some way that ensures it outlives the alias. It is now disallowed to create an alias to the content of a mutable box, or to a box hanging off a mutable field. There is also machinery in place to prevent assignment to local variables whenever they are the root of a live alias.
2011-06-06 15:22:13 +02:00
}
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
if (vec::len(unsafe_ts) > 0u) {
alt (f.node) {
case (ast::expr_path(_, ?ann)) {
if (def_is_local(cx.dm.get(ann.id))) {
cx.tcx.sess.span_err
(f.span, #fmt("function may alias with argument \
%u, which is not immutably rooted",
unsafe_t_offsets.(0)));
}
}
case (_) {}
}
}
auto j = 0u;
for (ty::t unsafe in unsafe_ts) {
auto offset = unsafe_t_offsets.(j);
j += 1u;
auto i = 0u;
for (ty::arg arg_t in arg_ts) {
Handle mutable references in alias analysis
2011-06-10 16:38:13 +02:00
auto mut_alias = arg_t.mode == ty::mo_alias(true);
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
if (i != offset &&
Handle mutable references in alias analysis
2011-06-10 16:38:13 +02:00
ty_can_unsafely_include(cx, unsafe, arg_t.ty, mut_alias)) {
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
cx.tcx.sess.span_err
(args.(i).span, #fmt("argument %u may alias with \
argument %u, which is not immutably rooted", i, offset));
}
i += 1u;
}
}
Handle mutable references in alias analysis
2011-06-10 16:38:13 +02:00
// Ensure we're not passing a root by mutable alias.
for (tup(uint, def_num) root in mut_roots) {
auto mut_alias_to_root = vec::count(root._1, roots) > 1u;
for (restrict r in sc.rs) {
if (vec::member(root._1, r.root_vars)) {
mut_alias_to_root = true;
}
}
if (mut_alias_to_root) {
cx.tcx.sess.span_err
(args.(root._0).span, "passing a mutable alias to a \
variable that roots another alias");
}
}
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
ret rec(root_vars = roots, unsafe_ts = unsafe_ts);
First take on an alias-safety checker The alias checker works by ensuring that any value to which an alias is created is rooted in some way that ensures it outlives the alias. It is now disallowed to create an alias to the content of a mutable box, or to a box hanging off a mutable field. There is also machinery in place to prevent assignment to local variables whenever they are the root of a live alias.
2011-06-06 15:22:13 +02:00
}
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
fn check_alt(&ctx cx, &@ast::expr input, &vec[ast::arm] arms,
&scope sc, &vt[scope] v) {
visit::visit_expr(input, sc, v);
auto root = expr_root(cx, input, true);
auto roots = alt (path_def_id(cx, root.ex)) {
case (some(?did)) { [did._1] }
case (_) { [] }
};
Refactor expr_root in alias.rs It was too clunky and specific before. Now returns a vec of dereference specs instead of a bunch of special-case information. Further accessors extract the information they need from this vec.
2011-06-15 11:03:23 +02:00
let vec[ty::t] forbidden_tp = alt (inner_mut(root.ds)) {
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
case (some(?t)) { [t] }
case (_) { [] }
};
for (ast::arm a in arms) {
auto dnums = arm_defnums(a);
auto new_sc = sc;
if (vec::len(dnums) > 0u) {
Implement mutable/immutable alias distinction. Before, all aliases were implicitly mutable, and writing &mutable was the same as writing &. Now, the two are distinguished, and assignments to regular aliases are no longer allowed.
2011-06-10 12:03:50 +02:00
new_sc = scope(sc, [@rec(root_vars=roots,
block_defnum=dnums.(0),
bindings=dnums,
tys=forbidden_tp,
depends_on=deps(sc, roots),
mutable ok=valid)]);
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
}
visit::visit_arm(a, new_sc, v);
}
}
fn arm_defnums(&ast::arm arm) -> vec[def_num] {
auto dnums = [];
fn walk_pat(&mutable vec[def_num] found, &@ast::pat p) {
alt (p.node) {
case (ast::pat_bind(_, ?did, _)) {
vec::push(found, did._1);
}
case (ast::pat_tag(_, ?children, _)) {
for (@ast::pat child in children) {
walk_pat(found, child);
First take on an alias-safety checker The alias checker works by ensuring that any value to which an alias is created is rooted in some way that ensures it outlives the alias. It is now disallowed to create an alias to the content of a mutable box, or to a box hanging off a mutable field. There is also machinery in place to prevent assignment to local variables whenever they are the root of a live alias.
2011-06-06 15:22:13 +02:00
}
}
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
case (_) {}
First take on an alias-safety checker The alias checker works by ensuring that any value to which an alias is created is rooted in some way that ensures it outlives the alias. It is now disallowed to create an alias to the content of a mutable box, or to a box hanging off a mutable field. There is also machinery in place to prevent assignment to local variables whenever they are the root of a live alias.
2011-06-06 15:22:13 +02:00
}
}
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
walk_pat(dnums, arm.pat);
ret dnums;
First take on an alias-safety checker The alias checker works by ensuring that any value to which an alias is created is rooted in some way that ensures it outlives the alias. It is now disallowed to create an alias to the content of a mutable box, or to a box hanging off a mutable field. There is also machinery in place to prevent assignment to local variables whenever they are the root of a live alias.
2011-06-06 15:22:13 +02:00
}
Change decl to local in expr_for and expr_for_each Since the decl in a for or for-each loop must always be a local decl, I changed the AST to express this. Fewer potential match failures and "the impossible happened" error messages = yay!
2011-06-13 17:04:15 -07:00
fn check_for_each(&ctx cx, &@ast::local local, &@ast::expr call,
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
&ast::block block, &scope sc, &vt[scope] v) {
visit::visit_expr(call, sc, v);
alt (call.node) {
case (ast::expr_call(?f, ?args, _)) {
auto data = check_call(cx, f, args, sc);
Change decl to local in expr_for and expr_for_each Since the decl in a for or for-each loop must always be a local decl, I changed the AST to express this. Fewer potential match failures and "the impossible happened" error messages = yay!
2011-06-13 17:04:15 -07:00
auto defnum = local.node.id._1;
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
auto new_sc = @rec(root_vars=data.root_vars,
block_defnum=defnum,
bindings=[defnum],
tys=data.unsafe_ts,
Properly handle lifetime of aliases in nested blocks There was a bug that would cause the alias analyser to allow you to invalidate an alias that was no longer directly referred to, even if another alias was rooted in it. It now properly tracks dependencies between live aliases. Required another case of copying values in map.rs.
2011-06-09 14:19:13 +02:00
depends_on=deps(sc, data.root_vars),
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
mutable ok=valid);
Implement mutable/immutable alias distinction. Before, all aliases were implicitly mutable, and writing &mutable was the same as writing &. Now, the two are distinguished, and assignments to regular aliases are no longer allowed.
2011-06-10 12:03:50 +02:00
visit::visit_block(block, scope(sc, [new_sc]), v);
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
}
First take on an alias-safety checker The alias checker works by ensuring that any value to which an alias is created is rooted in some way that ensures it outlives the alias. It is now disallowed to create an alias to the content of a mutable box, or to a box hanging off a mutable field. There is also machinery in place to prevent assignment to local variables whenever they are the root of a live alias.
2011-06-06 15:22:13 +02:00
}
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
}
Change decl to local in expr_for and expr_for_each Since the decl in a for or for-each loop must always be a local decl, I changed the AST to express this. Fewer potential match failures and "the impossible happened" error messages = yay!
2011-06-13 17:04:15 -07:00
fn check_for(&ctx cx, &@ast::local local, &@ast::expr seq,
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
&ast::block block, &scope sc, &vt[scope] v) {
visit::visit_expr(seq, sc, v);
Change decl to local in expr_for and expr_for_each Since the decl in a for or for-each loop must always be a local decl, I changed the AST to express this. Fewer potential match failures and "the impossible happened" error messages = yay!
2011-06-13 17:04:15 -07:00
auto defnum = local.node.id._1;
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
auto root = expr_root(cx, seq, false);
auto root_def = alt (path_def_id(cx, root.ex)) {
case (some(?did)) { [did._1] }
case (_) { [] }
};
Refactor expr_root in alias.rs It was too clunky and specific before. Now returns a vec of dereference specs instead of a bunch of special-case information. Further accessors extract the information they need from this vec.
2011-06-15 11:03:23 +02:00
auto unsafe = alt (inner_mut(root.ds)) {
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
case (some(?t)) { [t] }
case (_) { [] }
};
// If this is a mutable vector, don't allow it to be touched.
auto seq_t = ty::expr_ty(*cx.tcx, seq);
alt (ty::struct(*cx.tcx, seq_t)) {
case (ty::ty_vec(?mt)) {
if (mt.mut != ast::imm) { unsafe = [seq_t]; }
First take on an alias-safety checker The alias checker works by ensuring that any value to which an alias is created is rooted in some way that ensures it outlives the alias. It is now disallowed to create an alias to the content of a mutable box, or to a box hanging off a mutable field. There is also machinery in place to prevent assignment to local variables whenever they are the root of a live alias.
2011-06-06 15:22:13 +02:00
}
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
case (ty::ty_str) {}
}
auto new_sc = @rec(root_vars=root_def,
block_defnum=defnum,
bindings=[defnum],
tys=unsafe,
Properly handle lifetime of aliases in nested blocks There was a bug that would cause the alias analyser to allow you to invalidate an alias that was no longer directly referred to, even if another alias was rooted in it. It now properly tracks dependencies between live aliases. Required another case of copying values in map.rs.
2011-06-09 14:19:13 +02:00
depends_on=deps(sc, root_def),
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
mutable ok=valid);
Implement mutable/immutable alias distinction. Before, all aliases were implicitly mutable, and writing &mutable was the same as writing &. Now, the two are distinguished, and assignments to regular aliases are no longer allowed.
2011-06-10 12:03:50 +02:00
visit::visit_block(block, scope(sc, [new_sc]), v);
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
}
fn check_var(&ctx cx, &@ast::expr ex, &ast::path p, ast::ann ann, bool assign,
&scope sc) {
auto def = cx.dm.get(ann.id);
if (!def_is_local(def)) { ret; }
auto my_defnum = ast::def_id_of_def(def)._1;
auto var_t = ty::expr_ty(*cx.tcx, ex);
Implement mutable/immutable alias distinction. Before, all aliases were implicitly mutable, and writing &mutable was the same as writing &. Now, the two are distinguished, and assignments to regular aliases are no longer allowed.
2011-06-10 12:03:50 +02:00
for (restrict r in sc.rs) {
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
// excludes variables introduced since the alias was made
if (my_defnum < r.block_defnum) {
for (ty::t t in r.tys) {
if (ty_can_unsafely_include(cx, t, var_t, assign)) {
r.ok = val_taken(ex.span, p);
}
}
Properly handle lifetime of aliases in nested blocks There was a bug that would cause the alias analyser to allow you to invalidate an alias that was no longer directly referred to, even if another alias was rooted in it. It now properly tracks dependencies between live aliases. Required another case of copying values in map.rs.
2011-06-09 14:19:13 +02:00
} else if (vec::member(my_defnum, r.bindings)) {
test_scope(cx, sc, r, p);
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
}
}
}
Extend alias analysis to check assignments This is a somewhat odd place to put these checks, but the data tracked by that pass, and the available functions, make it trivial to do such a check there.
2011-06-15 12:17:37 +02:00
// FIXME does not catch assigning to immutable object fields yet
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
fn check_assign(&@ctx cx, &@ast::expr dest, &@ast::expr src,
&scope sc, &vt[scope] v) {
visit_expr(cx, src, sc, v);
Implement mutable/immutable alias distinction. Before, all aliases were implicitly mutable, and writing &mutable was the same as writing &. Now, the two are distinguished, and assignments to regular aliases are no longer allowed.
2011-06-10 12:03:50 +02:00
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
alt (dest.node) {
case (ast::expr_path(?p, ?ann)) {
auto dnum = ast::def_id_of_def(cx.dm.get(ann.id))._1;
Handle mutable references in alias analysis
2011-06-10 16:38:13 +02:00
if (is_immutable_alias(sc, dnum)) {
cx.tcx.sess.span_err
(dest.span, "assigning to immutable alias");
Implement mutable/immutable alias distinction. Before, all aliases were implicitly mutable, and writing &mutable was the same as writing &. Now, the two are distinguished, and assignments to regular aliases are no longer allowed.
2011-06-10 12:03:50 +02:00
}
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
auto var_t = ty::expr_ty(*cx.tcx, dest);
Implement mutable/immutable alias distinction. Before, all aliases were implicitly mutable, and writing &mutable was the same as writing &. Now, the two are distinguished, and assignments to regular aliases are no longer allowed.
2011-06-10 12:03:50 +02:00
for (restrict r in sc.rs) {
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
if (vec::member(dnum, r.root_vars)) {
r.ok = overwritten(dest.span, p);
}
}
check_var(*cx, dest, p, ann, true, sc);
}
case (_) {
Extend alias analysis to check assignments This is a somewhat odd place to put these checks, but the data tracked by that pass, and the available functions, make it trivial to do such a check there.
2011-06-15 12:17:37 +02:00
auto root = expr_root(*cx, dest, false);
if (vec::len(root.ds) == 0u) {
cx.tcx.sess.span_err(dest.span, "assignment to non-lvalue");
} else if (!root.ds.(0).mut) {
auto name = alt (root.ds.(0).kind) {
case (unbox) { "box" }
case (field) { "field" }
case (index) { "vec content" }
};
cx.tcx.sess.span_err
(dest.span, "assignment to immutable " + name);
}
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
visit_expr(cx, dest, sc, v);
First take on an alias-safety checker The alias checker works by ensuring that any value to which an alias is created is rooted in some way that ensures it outlives the alias. It is now disallowed to create an alias to the content of a mutable box, or to a box hanging off a mutable field. There is also machinery in place to prevent assignment to local variables whenever they are the root of a live alias.
2011-06-06 15:22:13 +02:00
}
}
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
}
Handle mutable references in alias analysis
2011-06-10 16:38:13 +02:00
fn is_immutable_alias(&scope sc, def_num dnum) -> bool {
for (tup(def_num, ast::mode) arg in sc.args) {
if (arg._0 == dnum && arg._1 == ast::alias(false)) { ret true; }
}
for (restrict r in sc.rs) {
if (vec::member(dnum, r.bindings)) { ret true; }
}
ret false;
}
Properly handle lifetime of aliases in nested blocks There was a bug that would cause the alias analyser to allow you to invalidate an alias that was no longer directly referred to, even if another alias was rooted in it. It now properly tracks dependencies between live aliases. Required another case of copying values in map.rs.
2011-06-09 14:19:13 +02:00
fn test_scope(&ctx cx, &scope sc, &restrict r, &ast::path p) {
auto prob = r.ok;
for (uint dep in r.depends_on) {
if (prob != valid) { break; }
Implement mutable/immutable alias distinction. Before, all aliases were implicitly mutable, and writing &mutable was the same as writing &. Now, the two are distinguished, and assignments to regular aliases are no longer allowed.
2011-06-10 12:03:50 +02:00
prob = sc.rs.(dep).ok;
Properly handle lifetime of aliases in nested blocks There was a bug that would cause the alias analyser to allow you to invalidate an alias that was no longer directly referred to, even if another alias was rooted in it. It now properly tracks dependencies between live aliases. Required another case of copying values in map.rs.
2011-06-09 14:19:13 +02:00
}
if (prob != valid) {
auto msg = alt (prob) {
case (overwritten(?sp, ?wpt)) {
tup(sp, "overwriting " + ast::path_name(wpt))
}
case (val_taken(?sp, ?vpt)) {
tup(sp, "taking the value of " + ast::path_name(vpt))
}
};
cx.tcx.sess.span_err
(msg._0, msg._1 + " will invalidate alias " +
ast::path_name(p) + ", which is still used");
}
}
fn deps(&scope sc, vec[def_num] roots) -> vec[uint] {
auto i = 0u;
auto result = [];
Implement mutable/immutable alias distinction. Before, all aliases were implicitly mutable, and writing &mutable was the same as writing &. Now, the two are distinguished, and assignments to regular aliases are no longer allowed.
2011-06-10 12:03:50 +02:00
for (restrict r in sc.rs) {
Properly handle lifetime of aliases in nested blocks There was a bug that would cause the alias analyser to allow you to invalidate an alias that was no longer directly referred to, even if another alias was rooted in it. It now properly tracks dependencies between live aliases. Required another case of copying values in map.rs.
2011-06-09 14:19:13 +02:00
for (def_num dn in roots) {
if (vec::member(dn, r.bindings)) {
vec::push(result, i);
}
}
i += 1u;
}
ret result;
}
Refactor expr_root in alias.rs It was too clunky and specific before. Now returns a vec of dereference specs instead of a bunch of special-case information. Further accessors extract the information they need from this vec.
2011-06-15 11:03:23 +02:00
tag deref_t {
unbox;
Extend alias analysis to check assignments This is a somewhat odd place to put these checks, but the data tracked by that pass, and the available functions, make it trivial to do such a check there.
2011-06-15 12:17:37 +02:00
field;
Refactor expr_root in alias.rs It was too clunky and specific before. Now returns a vec of dereference specs instead of a bunch of special-case information. Further accessors extract the information they need from this vec.
2011-06-15 11:03:23 +02:00
index;
}
type deref = rec(bool mut, deref_t kind, ty::t outer_t);
// Finds the root (the thing that is dereferenced) for the given expr, and a
// vec of dereferences that were used on this root. Note that, in this vec,
// the inner derefs come in front, so foo.bar.baz becomes rec(ex=foo,
// ds=[field(baz),field(bar)])
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
fn expr_root(&ctx cx, @ast::expr ex, bool autoderef)
Refactor expr_root in alias.rs It was too clunky and specific before. Now returns a vec of dereference specs instead of a bunch of special-case information. Further accessors extract the information they need from this vec.
2011-06-15 11:03:23 +02:00
-> rec(@ast::expr ex, vec[deref] ds) {
fn maybe_auto_unbox(&ctx cx, &ty::t t)
-> rec(ty::t t, option::t[deref] d) {
alt (ty::struct(*cx.tcx, t)) {
case (ty::ty_box(?mt)) {
ret rec(t=mt.ty, d=some(rec(mut=mt.mut != ast::imm,
kind=unbox,
outer_t=t)));
}
case (_) {
ret rec(t=t, d=none);
}
}
}
fn maybe_push_auto_unbox(&option::t[deref] d, &mutable vec[deref] ds) {
alt (d) {
case (some(?d)) { vec::push(ds, d); }
case (none) {}
}
}
let vec[deref] ds = [];
First take on an alias-safety checker The alias checker works by ensuring that any value to which an alias is created is rooted in some way that ensures it outlives the alias. It is now disallowed to create an alias to the content of a mutable box, or to a box hanging off a mutable field. There is also machinery in place to prevent assignment to local variables whenever they are the root of a live alias.
2011-06-06 15:22:13 +02:00
while (true) {
alt ({ex.node}) {
case (ast::expr_field(?base, ?ident, _)) {
Refactor expr_root in alias.rs It was too clunky and specific before. Now returns a vec of dereference specs instead of a bunch of special-case information. Further accessors extract the information they need from this vec.
2011-06-15 11:03:23 +02:00
auto auto_unbox = maybe_auto_unbox
(cx, ty::expr_ty(*cx.tcx, base));
auto mut = false;
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
alt (ty::struct(*cx.tcx, auto_unbox.t)) {
First take on an alias-safety checker The alias checker works by ensuring that any value to which an alias is created is rooted in some way that ensures it outlives the alias. It is now disallowed to create an alias to the content of a mutable box, or to a box hanging off a mutable field. There is also machinery in place to prevent assignment to local variables whenever they are the root of a live alias.
2011-06-06 15:22:13 +02:00
case (ty::ty_tup(?fields)) {
auto fnm = ty::field_num(cx.tcx.sess, ex.span, ident);
Refactor expr_root in alias.rs It was too clunky and specific before. Now returns a vec of dereference specs instead of a bunch of special-case information. Further accessors extract the information they need from this vec.
2011-06-15 11:03:23 +02:00
mut = fields.(fnm).mut != ast::imm;
First take on an alias-safety checker The alias checker works by ensuring that any value to which an alias is created is rooted in some way that ensures it outlives the alias. It is now disallowed to create an alias to the content of a mutable box, or to a box hanging off a mutable field. There is also machinery in place to prevent assignment to local variables whenever they are the root of a live alias.
2011-06-06 15:22:13 +02:00
}
case (ty::ty_rec(?fields)) {
for (ty::field fld in fields) {
if (str::eq(ident, fld.ident)) {
Refactor expr_root in alias.rs It was too clunky and specific before. Now returns a vec of dereference specs instead of a bunch of special-case information. Further accessors extract the information they need from this vec.
2011-06-15 11:03:23 +02:00
mut = fld.mt.mut != ast::imm;
First take on an alias-safety checker The alias checker works by ensuring that any value to which an alias is created is rooted in some way that ensures it outlives the alias. It is now disallowed to create an alias to the content of a mutable box, or to a box hanging off a mutable field. There is also machinery in place to prevent assignment to local variables whenever they are the root of a live alias.
2011-06-06 15:22:13 +02:00
break;
}
}
}
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
case (ty::ty_obj(_)) {}
First take on an alias-safety checker The alias checker works by ensuring that any value to which an alias is created is rooted in some way that ensures it outlives the alias. It is now disallowed to create an alias to the content of a mutable box, or to a box hanging off a mutable field. There is also machinery in place to prevent assignment to local variables whenever they are the root of a live alias.
2011-06-06 15:22:13 +02:00
}
Refactor expr_root in alias.rs It was too clunky and specific before. Now returns a vec of dereference specs instead of a bunch of special-case information. Further accessors extract the information they need from this vec.
2011-06-15 11:03:23 +02:00
vec::push(ds, rec(mut=mut,
Extend alias analysis to check assignments This is a somewhat odd place to put these checks, but the data tracked by that pass, and the available functions, make it trivial to do such a check there.
2011-06-15 12:17:37 +02:00
kind=field,
Refactor expr_root in alias.rs It was too clunky and specific before. Now returns a vec of dereference specs instead of a bunch of special-case information. Further accessors extract the information they need from this vec.
2011-06-15 11:03:23 +02:00
outer_t=auto_unbox.t));
maybe_push_auto_unbox(auto_unbox.d, ds);
First take on an alias-safety checker The alias checker works by ensuring that any value to which an alias is created is rooted in some way that ensures it outlives the alias. It is now disallowed to create an alias to the content of a mutable box, or to a box hanging off a mutable field. There is also machinery in place to prevent assignment to local variables whenever they are the root of a live alias.
2011-06-06 15:22:13 +02:00
ex = base;
}
case (ast::expr_index(?base, _, _)) {
Refactor expr_root in alias.rs It was too clunky and specific before. Now returns a vec of dereference specs instead of a bunch of special-case information. Further accessors extract the information they need from this vec.
2011-06-15 11:03:23 +02:00
auto auto_unbox = maybe_auto_unbox
(cx, ty::expr_ty(*cx.tcx, base));
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
alt (ty::struct(*cx.tcx, auto_unbox.t)) {
First take on an alias-safety checker The alias checker works by ensuring that any value to which an alias is created is rooted in some way that ensures it outlives the alias. It is now disallowed to create an alias to the content of a mutable box, or to a box hanging off a mutable field. There is also machinery in place to prevent assignment to local variables whenever they are the root of a live alias.
2011-06-06 15:22:13 +02:00
case (ty::ty_vec(?mt)) {
Refactor expr_root in alias.rs It was too clunky and specific before. Now returns a vec of dereference specs instead of a bunch of special-case information. Further accessors extract the information they need from this vec.
2011-06-15 11:03:23 +02:00
vec::push(ds, rec(mut=mt.mut != ast::imm,
kind=index,
outer_t=auto_unbox.t));
First take on an alias-safety checker The alias checker works by ensuring that any value to which an alias is created is rooted in some way that ensures it outlives the alias. It is now disallowed to create an alias to the content of a mutable box, or to a box hanging off a mutable field. There is also machinery in place to prevent assignment to local variables whenever they are the root of a live alias.
2011-06-06 15:22:13 +02:00
}
}
Refactor expr_root in alias.rs It was too clunky and specific before. Now returns a vec of dereference specs instead of a bunch of special-case information. Further accessors extract the information they need from this vec.
2011-06-15 11:03:23 +02:00
maybe_push_auto_unbox(auto_unbox.d, ds);
First take on an alias-safety checker The alias checker works by ensuring that any value to which an alias is created is rooted in some way that ensures it outlives the alias. It is now disallowed to create an alias to the content of a mutable box, or to a box hanging off a mutable field. There is also machinery in place to prevent assignment to local variables whenever they are the root of a live alias.
2011-06-06 15:22:13 +02:00
ex = base;
}
case (ast::expr_unary(?op, ?base, _)) {
if (op == ast::deref) {
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
auto base_t = ty::expr_ty(*cx.tcx, base);
alt (ty::struct(*cx.tcx, base_t)) {
First take on an alias-safety checker The alias checker works by ensuring that any value to which an alias is created is rooted in some way that ensures it outlives the alias. It is now disallowed to create an alias to the content of a mutable box, or to a box hanging off a mutable field. There is also machinery in place to prevent assignment to local variables whenever they are the root of a live alias.
2011-06-06 15:22:13 +02:00
case (ty::ty_box(?mt)) {
Refactor expr_root in alias.rs It was too clunky and specific before. Now returns a vec of dereference specs instead of a bunch of special-case information. Further accessors extract the information they need from this vec.
2011-06-15 11:03:23 +02:00
vec::push(ds, rec(mut=mt.mut != ast::imm,
kind=unbox,
outer_t=base_t));
First take on an alias-safety checker The alias checker works by ensuring that any value to which an alias is created is rooted in some way that ensures it outlives the alias. It is now disallowed to create an alias to the content of a mutable box, or to a box hanging off a mutable field. There is also machinery in place to prevent assignment to local variables whenever they are the root of a live alias.
2011-06-06 15:22:13 +02:00
}
}
ex = base;
} else {
break;
}
}
case (_) { break; }
}
}
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
if (autoderef) {
Refactor expr_root in alias.rs It was too clunky and specific before. Now returns a vec of dereference specs instead of a bunch of special-case information. Further accessors extract the information they need from this vec.
2011-06-15 11:03:23 +02:00
auto auto_unbox = maybe_auto_unbox(cx, ty::expr_ty(*cx.tcx, ex));
maybe_push_auto_unbox(auto_unbox.d, ds);
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
}
Refactor expr_root in alias.rs It was too clunky and specific before. Now returns a vec of dereference specs instead of a bunch of special-case information. Further accessors extract the information they need from this vec.
2011-06-15 11:03:23 +02:00
ret rec(ex=ex, ds=ds);
First take on an alias-safety checker The alias checker works by ensuring that any value to which an alias is created is rooted in some way that ensures it outlives the alias. It is now disallowed to create an alias to the content of a mutable box, or to a box hanging off a mutable field. There is also machinery in place to prevent assignment to local variables whenever they are the root of a live alias.
2011-06-06 15:22:13 +02:00
}
Refactor expr_root in alias.rs It was too clunky and specific before. Now returns a vec of dereference specs instead of a bunch of special-case information. Further accessors extract the information they need from this vec.
2011-06-15 11:03:23 +02:00
fn mut_field(&vec[deref] ds) -> bool {
for (deref d in ds) {
if (d.mut) { ret true; }
}
ret false;
}
fn inner_mut(&vec[deref] ds) -> option::t[ty::t] {
for (deref d in ds) {
if (d.mut) { ret some(d.outer_t); }
First take on an alias-safety checker The alias checker works by ensuring that any value to which an alias is created is rooted in some way that ensures it outlives the alias. It is now disallowed to create an alias to the content of a mutable box, or to a box hanging off a mutable field. There is also machinery in place to prevent assignment to local variables whenever they are the root of a live alias.
2011-06-06 15:22:13 +02:00
}
Refactor expr_root in alias.rs It was too clunky and specific before. Now returns a vec of dereference specs instead of a bunch of special-case information. Further accessors extract the information they need from this vec.
2011-06-15 11:03:23 +02:00
ret none;
First take on an alias-safety checker The alias checker works by ensuring that any value to which an alias is created is rooted in some way that ensures it outlives the alias. It is now disallowed to create an alias to the content of a mutable box, or to a box hanging off a mutable field. There is also machinery in place to prevent assignment to local variables whenever they are the root of a live alias.
2011-06-06 15:22:13 +02:00
}
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
fn path_def_id(&ctx cx, &@ast::expr ex) -> option::t[ast::def_id] {
alt (ex.node) {
case (ast::expr_path(_, ?ann)) {
ret some(ast::def_id_of_def(cx.dm.get(ann.id)));
}
case (_) {
ret none;
First take on an alias-safety checker The alias checker works by ensuring that any value to which an alias is created is rooted in some way that ensures it outlives the alias. It is now disallowed to create an alias to the content of a mutable box, or to a box hanging off a mutable field. There is also machinery in place to prevent assignment to local variables whenever they are the root of a live alias.
2011-06-06 15:22:13 +02:00
}
}
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
}
fn ty_can_unsafely_include(&ctx cx, ty::t needle, ty::t haystack, bool mut)
-> bool {
fn get_mut(bool cur, &ty::mt mt) -> bool {
ret cur || mt.mut != ast::imm;
}
fn helper(&ty::ctxt tcx, ty::t needle, ty::t haystack, bool mut) -> bool {
if (needle == haystack) { ret true; }
alt (ty::struct(tcx, haystack)) {
case (ty::ty_tag(_, ?ts)) {
for (ty::t t in ts) {
if (helper(tcx, needle, t, mut)) { ret true; }
}
ret false;
}
case (ty::ty_box(?mt)) {
ret helper(tcx, needle, mt.ty, get_mut(mut, mt));
}
case (ty::ty_vec(?mt)) {
ret helper(tcx, needle, mt.ty, get_mut(mut, mt));
}
case (ty::ty_ptr(?mt)) {
ret helper(tcx, needle, mt.ty, get_mut(mut, mt));
}
case (ty::ty_tup(?mts)) {
for (ty::mt mt in mts) {
if (helper(tcx, needle, mt.ty, get_mut(mut, mt))) {
ret true;
}
}
ret false;
}
case (ty::ty_rec(?fields)) {
for (ty::field f in fields) {
if (helper(tcx, needle, f.mt.ty, get_mut(mut, f.mt))) {
ret true;
}
}
ret false;
}
// These may contain anything.
Further support for predicate constraints Changed function types to include a list of constraints. Added code for parsing and pretty-printing constraints. This necessitated splitting pprust into two files (pprust and ppaux) to break a circulate dependency, as ty_to_str now needs to print out constraints, which may include literals, but pprust depended on ty.
2011-06-09 09:48:16 -07:00
case (ty::ty_fn(_, _, _, _, _)) { ret true; }
A revised, improved alias-checker The old system tried to ensure that the location an alias pointed at would retain its type. That turned out to not be strong enough in the face of aliases to the inside of tags. The new system instead proves that values pointed to by aliases are not replaced (or invalidated in some other way) at all. It knows of two sufficient conditions for this, and tries to prove at least of them: A) The alias is 'immutably rooted' in a local, and this local is not reassigned for the lifetime of the alias. Immutably rooted means the alias refers to the local itself, or to something reachable from the local through immutable dereferencing. B) No value whose type might include the type of the 'inner mutable element' of the thing the alias refers to (for example, the box in rec(mutable x = @mutable int)) is from the outer scope is accessed for the lifetime of the alias. This means for functions, no other argument types may include the alias's inner mutable type. For alt, for each, and for, it means the body does not refer to any locals originating from outside their scope that include this type. The lifetime of an alias in an alt, for each, or for body is defined as the range from its definition to its last use, not to the point where it goes out of scope. This makes working around these restrictions somewhat less annoying. For example, you can assign to your alt-ed value you don't refer to any bindings afterwards.
2011-06-07 11:20:51 +02:00
case (ty::ty_obj(_)) { ret true; }
// A type param may include everything, but can only be treated as
// opaque downstream, and is thus safe unless we saw mutable
// fields, in which case the whole thing can be overwritten.
case (ty::ty_param(_)) { ret mut; }
case (_) { ret false; }
}
}
ret helper(*cx.tcx, needle, haystack, mut);
}
fn def_is_local(&ast::def d) -> bool {
ret alt (d) {
case (ast::def_local(_)) { true }
case (ast::def_arg(_)) { true }
case (ast::def_obj_field(_)) { true }
case (ast::def_binding(_)) { true }
case (_) { false }
};
First take on an alias-safety checker The alias checker works by ensuring that any value to which an alias is created is rooted in some way that ensures it outlives the alias. It is now disallowed to create an alias to the content of a mutable box, or to a box hanging off a mutable field. There is also machinery in place to prevent assignment to local variables whenever they are the root of a live alias.
2011-06-06 15:22:13 +02:00
}
// Local Variables:
// mode: rust
// fill-column: 78;
// indent-tabs-mode: nil
// c-basic-offset: 4
// buffer-file-coding-system: utf-8-unix
// compile-command: "make -k -C $RBUILD 2>&1 | sed -e 's/\\/x\\//x:\\//g'";
// End:
Reference in New Issue Copy Permalink