auto merge of #15989 : pcwalton/rust/borrowck-pattern-guards, r=pnkfelix

the CFG for match statements.

There were two bugs in issue #14684. One was simply that the borrow
check didn't know about the correct CFG for match statements: the
pattern must be a predecessor of the guard. This disallows the bad
behavior if there are bindings in the pattern. But it isn't enough to
prevent the memory safety problem, because of wildcards; thus, this
patch introduces a more restrictive rule, which disallows assignments
and mutable borrows inside guards outright.

I discussed this with Niko and we decided this was the best plan of
action.

This breaks code that performs mutable borrows in pattern guards. Most
commonly, the code looks like this:

    impl Foo {
        fn f(&mut self, ...) {}
        fn g(&mut self, ...) {
            match bar {
                Baz if self.f(...) => { ... }
                _ => { ... }
            }
        }
    }

Change this code to not use a guard. For example:

    impl Foo {
        fn f(&mut self, ...) {}
        fn g(&mut self, ...) {
            match bar {
                Baz => {
                    if self.f(...) {
                        ...
                    } else {
                        ...
                    }
                }
                _ => { ... }
            }
        }
    }

Sometimes this can result in code duplication, but often it illustrates
a hidden memory safety problem.

Closes #14684.

[breaking-change]

r? @pnkfelix

Author: bors

src/libfmt_macros/lib.rs

@@ -352,8 +352,13 @@ impl<'a> Parser<'a> {
             None => {
                 let tmp = self.cur.clone();
                 match self.word() {
-                    word if word.len() > 0 && self.consume('$') => {
-                        CountIsName(word)
+                    word if word.len() > 0 => {
+                        if self.consume('$') {
+                            CountIsName(word)
+                        } else {
+                            self.cur = tmp;
+                            CountImplied
+                        }
                     }
                     _ => {
                         self.cur = tmp;

src/librustc/middle/cfg/construct.rs

@@ -333,32 +333,37 @@ impl<'a> CFGBuilder<'a> {
                 //    [discr]
                 //       |
                 //       v 2
-                //    [guard1]
+                //    [cond1]
                 //      /  \
                 //     |    \
-                //     v 3  |
-                //  [pat1]  |
-                //     |
-                //     v 4  |
-                // [body1]  v
-                //     |  [guard2]
-                //     |    /   \
-                //     | [body2] \
-                //     |    |   ...
-                //     |    |    |
-                //     v 5  v    v
-                //   [....expr....]
+                //     v 3   \
+                //  [pat1]    \
+                //     |       |
+                //     v 4     |
+                //  [guard1]   |
+                //     |       |
+                //     |       |
+                //     v 5     v
+                //  [body1]  [cond2]
+                //     |      /  \
+                //     |    ...  ...
+                //     |     |    |
+                //     v 6   v    v
+                //  [.....expr.....]
                 //
                 let discr_exit = self.expr(discr.clone(), pred);         // 1
 
                 let expr_exit = self.add_node(expr.id, []);
-                let mut guard_exit = discr_exit;
+                let mut cond_exit = discr_exit;
                 for arm in arms.iter() {
-                    guard_exit = self.opt_expr(arm.guard, guard_exit);   // 2
+                    cond_exit = self.add_dummy_node([cond_exit]);        // 2
                     let pats_exit = self.pats_any(arm.pats.as_slice(),
-                                                  guard_exit);           // 3
-                    let body_exit = self.expr(arm.body.clone(), pats_exit); // 4
-                    self.add_contained_edge(body_exit, expr_exit);       // 5
+                                                  cond_exit);            // 3
+                    let guard_exit = self.opt_expr(arm.guard,
+                                                   pats_exit);           // 4
+                    let body_exit = self.expr(arm.body.clone(),
+                                              guard_exit);               // 5
+                    self.add_contained_edge(body_exit, expr_exit);       // 6
                 }
                 expr_exit
             }

src/librustc/middle/check_match.rs

@@ -11,6 +11,10 @@
 use middle::const_eval::{compare_const_vals, const_bool, const_float, const_nil, const_val};
 use middle::const_eval::{const_expr_to_pat, eval_const_expr, lookup_const_by_id};
 use middle::def::*;
+use middle::expr_use_visitor::{ConsumeMode, Delegate, ExprUseVisitor, Init};
+use middle::expr_use_visitor::{JustWrite, LoanCause, MutateMode};
+use middle::expr_use_visitor::{WriteAndRead};
+use middle::mem_categorization::cmt;
 use middle::pat_util::*;
 use middle::ty::*;
 use middle::ty;
@@ -143,7 +147,16 @@ fn check_expr(cx: &mut MatchCheckCtxt, ex: &Expr) {
                                                 arm.pats.as_slice());
             }
 
-            // Second, check for unreachable arms.
+            // Second, if there is a guard on each arm, make sure it isn't
+            // assigning or borrowing anything mutably.
+            for arm in arms.iter() {
+                match arm.guard {
+                    Some(guard) => check_for_mutation_in_guard(cx, &*guard),
+                    None => {}
+                }
+            }
+
+            // Third, check for unreachable arms.
             check_arms(cx, arms.as_slice());
 
             // Finally, check if the whole match expression is exhaustive.
@@ -903,3 +916,53 @@ fn check_legality_of_move_bindings(cx: &MatchCheckCtxt,
         });
     }
 }
+
+/// Ensures that a pattern guard doesn't borrow by mutable reference or
+/// assign.
+fn check_for_mutation_in_guard<'a>(cx: &'a MatchCheckCtxt<'a>, guard: &Expr) {
+    let mut checker = MutationChecker {
+        cx: cx,
+    };
+    let mut visitor = ExprUseVisitor::new(&mut checker, checker.cx.tcx);
+    visitor.walk_expr(guard);
+}
+
+struct MutationChecker<'a> {
+    cx: &'a MatchCheckCtxt<'a>,
+}
+
+impl<'a> Delegate for MutationChecker<'a> {
+    fn consume(&mut self, _: NodeId, _: Span, _: cmt, _: ConsumeMode) {}
+    fn consume_pat(&mut self, _: &Pat, _: cmt, _: ConsumeMode) {}
+    fn borrow(&mut self,
+              _: NodeId,
+              span: Span,
+              _: cmt,
+              _: Region,
+              kind: BorrowKind,
+              _: LoanCause) {
+        match kind {
+            MutBorrow => {
+                self.cx
+                    .tcx
+                    .sess
+                    .span_err(span,
+                              "cannot mutably borrow in a pattern guard")
+            }
+            ImmBorrow | UniqueImmBorrow => {}
+        }
+    }
+    fn decl_without_init(&mut self, _: NodeId, _: Span) {}
+    fn mutate(&mut self, _: NodeId, span: Span, _: cmt, mode: MutateMode) {
+        match mode {
+            JustWrite | WriteAndRead => {
+                self.cx
+                    .tcx
+                    .sess
+                    .span_err(span, "cannot assign in a pattern guard")
+            }
+            Init => {}
+        }
+    }
+}
+

src/librustc/middle/expr_use_visitor.rs

@@ -292,7 +292,7 @@ impl<'d,'t,TYPER:mc::Typer> ExprUseVisitor<'d,'t,TYPER> {
         self.walk_expr(expr)
     }
 
-    fn walk_expr(&mut self, expr: &ast::Expr) {
+    pub fn walk_expr(&mut self, expr: &ast::Expr) {
         debug!("walk_expr(expr={})", expr.repr(self.tcx()));
 
         self.walk_adjustment(expr);

src/librustdoc/html/render.rs

@@ -1734,17 +1734,19 @@ fn item_struct(w: &mut fmt::Formatter, it: &clean::Item,
         }
     }).peekable();
     match s.struct_type {
-        doctree::Plain if fields.peek().is_some() => {
-            try!(write!(w, "<h2 class='fields'>Fields</h2>\n<table>"));
-            for field in fields {
-                try!(write!(w, "<tr><td id='structfield.{name}'>\
-                                  {stab}<code>{name}</code></td><td>",
-                              stab = ConciseStability(&field.stability),
-                              name = field.name.get_ref().as_slice()));
-                try!(document(w, field));
-                try!(write!(w, "</td></tr>"));
+        doctree::Plain => {
+            if fields.peek().is_some() {
+                try!(write!(w, "<h2 class='fields'>Fields</h2>\n<table>"));
+                for field in fields {
+                    try!(write!(w, "<tr><td id='structfield.{name}'>\
+                                      {stab}<code>{name}</code></td><td>",
+                                  stab = ConciseStability(&field.stability),
+                                  name = field.name.get_ref().as_slice()));
+                    try!(document(w, field));
+                    try!(write!(w, "</td></tr>"));
+                }
+                try!(write!(w, "</table>"));
             }
-            try!(write!(w, "</table>"));
         }
         _ => {}
     }

src/libsyntax/parse/parser.rs

@@ -11,9 +11,6 @@
 #![allow(unused_variable)]
 #![allow(dead_assignment)]
 
-fn cond() -> bool { fail!() }
-fn link<'a>(v: &'a uint, w: &mut &'a uint) -> bool { *w = v; true }
-
 fn separate_arms() {
     // Here both arms perform assignments, but only is illegal.
 
@@ -31,28 +28,4 @@ fn separate_arms() {
     x.clone(); // just to prevent liveness warnings
 }
 
-fn guard() {
-    // Here the guard performs a borrow. This borrow "infects" all
-    // subsequent arms (but not the prior ones).
-
-    let mut a = box 3u;
-    let mut b = box 4u;
-    let mut w = &*a;
-    match 22i {
-        _ if cond() => {
-            b = box 5u;
-        }
-
-        _ if link(&*b, &mut w) => {
-            b = box 6u; //~ ERROR cannot assign
-        }
-
-        _ => {
-            b = box 7u; //~ ERROR cannot assign
-        }
-    }
-
-    b = box 8; //~ ERROR cannot assign
-}
-
 fn main() {}

src/test/compile-fail/borrowck-lend-flow-match.rs

@@ -0,0 +1,33 @@
+// Copyright 2014 The Rust Project Developers. See the COPYRIGHT
+// file at the top-level directory of this distribution and at
+// http://rust-lang.org/COPYRIGHT.
+//
+// Licensed under the Apache License, Version 2.0 <LICENSE-APACHE or
+// http://www.apache.org/licenses/LICENSE-2.0> or the MIT license
+// <LICENSE-MIT or http://opensource.org/licenses/MIT>, at your
+// option. This file may not be copied, modified, or distributed
+// except according to those terms.
+
+enum Enum<'a> {
+    A(&'a int),
+    B(bool),
+}
+
+fn foo() -> int {
+    let mut n = 42;
+    let mut x = A(&mut n);
+    match x {
+        A(_) if { x = B(false); false } => 1,
+        //~^ ERROR cannot assign in a pattern guard
+        A(_) if { let y = &mut x; *y = B(false); false } => 1,
+        //~^ ERROR cannot mutably borrow in a pattern guard
+        //~^^ ERROR cannot assign in a pattern guard
+        A(p) => *p,
+        B(_) => 2,
+    }
+}
+
+fn main() {
+    foo();
+}
+

src/test/compile-fail/borrowck-mutate-in-guard.rs

@@ -7,14 +7,15 @@ digraph block {
     N5[label="expr 7777i"];
     N6[label="expr [7i, 77i, 777i, 7777i]"];
     N7[label="expr match [7i, 77i, 777i, 7777i] { [x, y, ..] => x + y }"];
-    N8[label="local x"];
-    N9[label="local y"];
-    N10[label="pat .."];
-    N11[label="pat [x, y, ..]"];
-    N12[label="expr x"];
-    N13[label="expr y"];
-    N14[label="expr x + y"];
-    N15[label="block { match [7i, 77i, 777i, 7777i] { [x, y, ..] => x + y }; }"];
+    N8[label="(dummy_node)"];
+    N9[label="local x"];
+    N10[label="local y"];
+    N11[label="pat .."];
+    N12[label="pat [x, y, ..]"];
+    N13[label="expr x"];
+    N14[label="expr y"];
+    N15[label="expr x + y"];
+    N16[label="block { match [7i, 77i, 777i, 7777i] { [x, y, ..] => x + y }; }"];
     N0 -> N2;
     N2 -> N3;
     N3 -> N4;
@@ -27,7 +28,8 @@ digraph block {
     N11 -> N12;
     N12 -> N13;
     N13 -> N14;
-    N14 -> N7;
-    N7 -> N15;
-    N15 -> N1;
+    N14 -> N15;
+    N15 -> N7;
+    N7 -> N16;
+    N16 -> N1;
 }

src/test/run-make/graphviz-flowgraph/f07.dot-expected.dot

@@ -8,18 +8,20 @@ digraph block {
     N6[label="local _y"];
     N7[label="expr x"];
     N8[label="expr match x { E13a => _y = 1, E13b(v) => _y = v + 1 }"];
-    N9[label="local E13a"];
-    N10[label="expr 1"];
-    N11[label="expr _y"];
-    N12[label="expr _y = 1"];
-    N13[label="local v"];
-    N14[label="pat E13b(v)"];
-    N15[label="expr v"];
-    N16[label="expr 1"];
-    N17[label="expr v + 1"];
-    N18[label="expr _y"];
-    N19[label="expr _y = v + 1"];
-    N20[label="block {\l    let x = E13b(13);\l    let _y;\l    match x { E13a => _y = 1, E13b(v) => _y = v + 1 }\l}\l"];
+    N9[label="(dummy_node)"];
+    N10[label="local E13a"];
+    N11[label="expr 1"];
+    N12[label="expr _y"];
+    N13[label="expr _y = 1"];
+    N14[label="(dummy_node)"];
+    N15[label="local v"];
+    N16[label="pat E13b(v)"];
+    N17[label="expr v"];
+    N18[label="expr 1"];
+    N19[label="expr v + 1"];
+    N20[label="expr _y"];
+    N21[label="expr _y = v + 1"];
+    N22[label="block {\l    let x = E13b(13);\l    let _y;\l    match x { E13a => _y = 1, E13b(v) => _y = v + 1 }\l}\l"];
     N0 -> N2;
     N2 -> N3;
     N3 -> N4;
@@ -30,15 +32,17 @@ digraph block {
     N9 -> N10;
     N10 -> N11;
     N11 -> N12;
-    N12 -> N8;
-    N7 -> N13;
-    N13 -> N14;
+    N12 -> N13;
+    N13 -> N8;
+    N9 -> N14;
     N14 -> N15;
     N15 -> N16;
     N16 -> N17;
     N17 -> N18;
     N18 -> N19;
-    N19 -> N8;
-    N8 -> N20;
-    N20 -> N1;
+    N19 -> N20;
+    N20 -> N21;
+    N21 -> N8;
+    N8 -> N22;
+    N22 -> N1;
 }