Forbid object lifetime changing pointer casts

BoxyUwU · BoxyUwU · commit 07f91f1c19a6 · 2025-08-24T17:27:44.000+01:00
diff --git a/compiler/rustc_borrowck/src/type_check/mod.rs b/compiler/rustc_borrowck/src/type_check/mod.rs
@@ -1467,21 +1467,19 @@ impl<'a, 'tcx> Visitor<'tcx> for TypeChecker<'a, 'tcx> {
                                 //
                                 // Note that other checks (such as denying `dyn Send` -> `dyn
                                 // Debug`) are in `rustc_hir_typeck`.
-                                if let ty::Dynamic(src_tty, _src_lt, ty::Dyn) = *src_tail.kind()
+                                if let ty::Dynamic(src_tty, src_lt, ty::Dyn) = *src_tail.kind()
                                     && let ty::Dynamic(dst_tty, dst_lt, ty::Dyn) = *dst_tail.kind()
                                     && src_tty.principal().is_some()
                                     && dst_tty.principal().is_some()
                                 {
                                     // Remove auto traits.
-                                    // Auto trait checks are handled in `rustc_hir_typeck` as FCW.
+                                    // Auto trait checks are handled in `rustc_hir_typeck`.
                                     let src_obj = Ty::new_dynamic(
                                         tcx,
                                         tcx.mk_poly_existential_predicates(
                                             &src_tty.without_auto_traits().collect::<Vec<_>>(),
                                         ),
-                                        // FIXME: Once we disallow casting `*const dyn Trait + 'short`
-                                        // to `*const dyn Trait + 'long`, then this can just be `src_lt`.
-                                        dst_lt,
+                                        src_lt,
                                         ty::Dyn,
                                     );
                                     let dst_obj = Ty::new_dynamic(
@@ -1495,6 +1493,22 @@ impl<'a, 'tcx> Visitor<'tcx> for TypeChecker<'a, 'tcx> {
 
                                     debug!(?src_tty, ?dst_tty, ?src_obj, ?dst_obj);
 
+                                    // Trait parameters are Invariant, the only part that actually has subtyping
+                                    // here is the lifetime bound of the dyn-type.
+                                    //
+                                    // For example in `dyn Trait<'a> + 'b <: dyn Trait<'c> + 'd`  we would require 
+                                    // that `'a == 'c` but only that `'b: 'd`.
+                                    //
+                                    // We must not allow freely casting lifetime bounds of dyn-types as it may allow
+                                    // for inaccessible VTable methods being callable: #136702
+                                    // 
+                                    // We don't enforce this for casts of principal-less dyn types as their VTables do
+                                    // not contain any functions with `Self: 'a` bounds that could start holding after
+                                    // a pointer cast.
+                                    //
+                                    // We also don't enforce this for casts of pointers to pointers to dyn types. E.g.
+                                    // `*mut *mut dyn Trait + 'a -> *mut *mut dyn Trait + 'static` is allowed. This is
+                                    // fine because there is no actual VTable in play.
                                     self.sub_types(
                                         src_obj,
                                         dst_obj,
diff --git a/library/std/src/thread/mod.rs b/library/std/src/thread/mod.rs
@@ -578,8 +578,11 @@ impl Builder {
         let main = Box::new(main);
         // SAFETY: dynamic size and alignment of the Box remain the same. See below for why the
         // lifetime change is justified.
-        let main =
-            unsafe { Box::from_raw(Box::into_raw(main) as *mut (dyn FnOnce() + Send + 'static)) };
+        let main = unsafe {
+            let ptr = Box::into_raw(main) as *mut (dyn FnOnce() + Send + '_);
+            let ptr: *mut (dyn FnOnce() + Send + 'static) = crate::mem::transmute(ptr);
+            Box::from_raw(ptr)
+        };
 
         Ok(JoinInner {
             // SAFETY:
diff --git a/tests/ui/cast/ptr-ptr-to-ptr-ptr-different-regions.rs b/tests/ui/cast/ptr-ptr-to-ptr-ptr-different-regions.rs
@@ -0,0 +1,11 @@
+//@ check-pass
+
+trait Trait {
+    fn foo(&self) {}
+}
+
+fn bar<'a>(a: *mut *mut (dyn Trait + 'a)) -> *mut *mut (dyn Trait + 'static) {
+    a as _
+}
+
+fn main() {}
diff --git a/tests/ui/cast/ptr-to-ptr-different-regions.rs b/tests/ui/cast/ptr-to-ptr-different-regions.rs
@@ -1,10 +1,10 @@
-//@ check-pass
-
 // https://github.com/rust-lang/rust/issues/113257
 
 #![deny(trivial_casts)] // The casts here are not trivial.
 
-struct Foo<'a> { a: &'a () }
+struct Foo<'a> {
+    a: &'a (),
+}
 
 fn extend_lifetime_very_very_safely<'a>(v: *const Foo<'a>) -> *const Foo<'static> {
     // This should pass because raw pointer casts can do anything they want.
@@ -15,6 +15,7 @@ trait Trait {}
 
 fn assert_static<'a>(ptr: *mut (dyn Trait + 'a)) -> *mut (dyn Trait + 'static) {
     ptr as _
+    //~^ ERROR: lifetime may not live long enough
 }
 
 fn main() {
diff --git a/tests/ui/cast/ptr-to-ptr-different-regions.stderr b/tests/ui/cast/ptr-to-ptr-different-regions.stderr
@@ -0,0 +1,22 @@
+error: lifetime may not live long enough
+  --> $DIR/ptr-to-ptr-different-regions.rs:17:5
+   |
+LL | fn assert_static<'a>(ptr: *mut (dyn Trait + 'a)) -> *mut (dyn Trait + 'static) {
+   |                  -- lifetime `'a` defined here
+LL |     ptr as _
+   |     ^^^^^^^^ returning this value requires that `'a` must outlive `'static`
+   |
+   = note: requirement occurs because of a mutable pointer to `dyn Trait`
+   = note: mutable pointers are invariant over their type parameter
+   = help: see <https://doc.rust-lang.org/nomicon/subtyping.html> for more information about variance
+help: consider changing the trait object's explicit `'static` bound to the lifetime of argument `ptr`
+   |
+LL | fn assert_static<'a>(ptr: *mut (dyn Trait + 'a)) -> *mut (dyn Trait + 'a) {
+   |                                                                       ~~
+help: alternatively, add an explicit `'static` bound to this reference
+   |
+LL | fn assert_static<'a>(ptr: *mut (dyn Trait + 'static)) -> *mut (dyn Trait + 'static) {
+   |                           ~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+error: aborting due to 1 previous error
+
diff --git a/tests/ui/cast/ptr-to-ptr-indirect-different-regions.rs b/tests/ui/cast/ptr-to-ptr-indirect-different-regions.rs
@@ -0,0 +1,12 @@
+trait Trait {
+    fn foo(&self) {}
+}
+
+struct MyWrap<T: ?Sized>(T);
+
+fn bar<'a>(a: *mut MyWrap<(dyn Trait + 'a)>) -> *mut MyWrap<(dyn Trait + 'static)> {
+    a as _
+    //~^ ERROR: lifetime may not live long enough
+}
+
+fn main() {}
diff --git a/tests/ui/cast/ptr-to-ptr-indirect-different-regions.stderr b/tests/ui/cast/ptr-to-ptr-indirect-different-regions.stderr
@@ -0,0 +1,31 @@
+error: lifetime may not live long enough
+  --> $DIR/ptr-to-ptr-indirect-different-regions.rs:8:5
+   |
+LL | fn bar<'a>(a: *mut MyWrap<(dyn Trait + 'a)>) -> *mut MyWrap<(dyn Trait + 'static)> {
+   |        -- lifetime `'a` defined here
+LL |     a as _
+   |     ^^^^^^ returning this value requires that `'a` must outlive `'static`
+   |
+   = note: requirement occurs because of a mutable pointer to `MyWrap<dyn Trait>`
+   = note: mutable pointers are invariant over their type parameter
+   = help: see <https://doc.rust-lang.org/nomicon/subtyping.html> for more information about variance
+note: raw pointer casts of trait objects do not cast away lifetimes
+  --> $DIR/ptr-to-ptr-indirect-different-regions.rs:8:5
+   |
+LL |     a as _
+   |     ^^^^^^
+   = note: this was previously accepted by the compiler but was changed recently
+   = help: see <https://github.com/rust-lang/rust/issues/141402> for more information
+help: consider changing the trait object's explicit `'static` bound to the lifetime of argument `a`
+   |
+LL - fn bar<'a>(a: *mut MyWrap<(dyn Trait + 'a)>) -> *mut MyWrap<(dyn Trait + 'static)> {
+LL + fn bar<'a>(a: *mut MyWrap<(dyn Trait + 'a)>) -> *mut MyWrap<(dyn Trait + 'a)> {
+   |
+help: alternatively, add an explicit `'static` bound to this reference
+   |
+LL - fn bar<'a>(a: *mut MyWrap<(dyn Trait + 'a)>) -> *mut MyWrap<(dyn Trait + 'static)> {
+LL + fn bar<'a>(a: *mut MyWrap<(dyn Trait + 'static)>) -> *mut MyWrap<(dyn Trait + 'static)> {
+   |
+
+error: aborting due to 1 previous error
+
diff --git a/tests/ui/cast/ptr-to-trait-obj-ok.rs b/tests/ui/cast/ptr-to-trait-obj-ok.rs
@@ -1,5 +1,3 @@
-//@ check-pass
-
 trait Trait<'a> {}
 
 fn remove_auto<'a>(x: *mut (dyn Trait<'a> + Send)) -> *mut dyn Trait<'a> {
@@ -8,6 +6,7 @@ fn remove_auto<'a>(x: *mut (dyn Trait<'a> + Send)) -> *mut dyn Trait<'a> {
 
 fn cast_inherent_lt<'a, 'b>(x: *mut (dyn Trait<'static> + 'a)) -> *mut (dyn Trait<'static> + 'b) {
     x as _
+    //~^ ERROR: lifetime may not live long enough
 }
 
 fn cast_away_higher_ranked<'a>(x: *mut dyn for<'b> Trait<'b>) -> *mut dyn Trait<'a> {
@@ -33,6 +32,7 @@ fn cast_inherent_lt_wrap<'a, 'b>(
     x: *mut (dyn Trait<'static> + 'a),
 ) -> *mut Wrapper<dyn Trait<'static> + 'b> {
     x as _
+    //~^ ERROR: lifetime may not live long enough
 }
 
 fn cast_away_higher_ranked_wrap<'a>(x: *mut dyn for<'b> Trait<'b>) -> *mut Wrapper<dyn Trait<'a>> {
diff --git a/tests/ui/cast/ptr-to-trait-obj-ok.stderr b/tests/ui/cast/ptr-to-trait-obj-ok.stderr
@@ -0,0 +1,33 @@
+error: lifetime may not live long enough
+  --> $DIR/ptr-to-trait-obj-ok.rs:8:5
+   |
+LL | fn cast_inherent_lt<'a, 'b>(x: *mut (dyn Trait<'static> + 'a)) -> *mut (dyn Trait<'static> + 'b) {
+   |                     --  -- lifetime `'b` defined here
+   |                     |
+   |                     lifetime `'a` defined here
+LL |     x as _
+   |     ^^^^^^ function was supposed to return data with lifetime `'b` but it is returning data with lifetime `'a`
+   |
+   = help: consider adding the following bound: `'a: 'b`
+   = note: requirement occurs because of a mutable pointer to `dyn Trait<'_>`
+   = note: mutable pointers are invariant over their type parameter
+   = help: see <https://doc.rust-lang.org/nomicon/subtyping.html> for more information about variance
+
+error: lifetime may not live long enough
+  --> $DIR/ptr-to-trait-obj-ok.rs:34:5
+   |
+LL | fn cast_inherent_lt_wrap<'a, 'b>(
+   |                          --  -- lifetime `'b` defined here
+   |                          |
+   |                          lifetime `'a` defined here
+...
+LL |     x as _
+   |     ^^^^^^ function was supposed to return data with lifetime `'b` but it is returning data with lifetime `'a`
+   |
+   = help: consider adding the following bound: `'a: 'b`
+   = note: requirement occurs because of a mutable pointer to `Wrapper<dyn Trait<'_>>`
+   = note: mutable pointers are invariant over their type parameter
+   = help: see <https://doc.rust-lang.org/nomicon/subtyping.html> for more information about variance
+
+error: aborting due to 2 previous errors
+
