@bors try

⌛ Trying commit d5ebeac with merge 44f3504...

☀️ Try build successful - checks-actions
Build commit: 44f3504 (44f3504e96c944ae54fc72b5f5008f53f7eda001)

@craterbot check

👌 Experiment pr-136776 created and queued.
🤖 Automatically detected try build 44f3504
🔍 You can check out the queue and this experiment's details.

ℹ️ Crater is a tool to run experiments across parts of the Rust ecosystem. Learn more

🚧 Experiment pr-136776 is now running

ℹ️ Crater is a tool to run experiments across parts of the Rust ecosystem. Learn more

🎉 Experiment pr-136776 is completed!
📊 169 regressed and 4 fixed (580506 total)
📰 Open the full report.

⚠️ If you notice any spurious failure please add them to the denylist!
ℹ️ Crater is a tool to run experiments across parts of the Rust ecosystem. Learn more

Most of these are on github; in terms of crates.io regressions all we have is:

• may
• a bunch of crates using metrics, see e.g. this (for metrics-0.23) or this (for metrics-0.24, the latest version)

Overall, 142 regressions are caused by metrics and 14 by may; if we ca get fixed versions of those crates out that seems to mostly cover it.

EDIT: Ah, there's also cogo.

We discussed this in the lang triage call today. We wanted to think more about it, so we're leaving it nominated to discuss again.

@BoxyUwU Do you think it would be possible to implement this as an FCW? We talked about this in lang triage today and would prefer to start with that if we can. If it's not feasible, a hard error can also work (I would say though that we should upstream PRs to any crates we break).

Another small thing I noticed is that the error message links to the Nomicon section on variance, but it would be ideal to link to a tracking issue or something describing this issue in particular.

To add on to what tmandry, said, in our discussions we did feel that the approach taken in this PR is generally the right way forward, and we're happy to see this progress so as to help clear the way for arbitrary_self_types and derive_coerce_pointee.

cc @rust-lang/lang

@tmandry I do expect it to be possible to FCW this. We can likely do something hacky around to fully emulate the fix (but as a lint), but if that doesn't work out all the regression we found were relatively "simple" cases that can probably be taken advantage of (if need be) to lint a subset of the actual cases we'd break with this PR

edit: see compiler-errors' comment, I'm not so convinced this will be possible to FCW anymore and will likely investigate improving the diagnostics here. I've already filed PRs to the affected crates to migrate them over to a transmute to avoid the breakage if this lands

I was thinking earlier that it may be possible to implement a lint to detect, but it seems to me that MIR borrowck is not equipped to implement such a lint.

Specifically, it seems near impossible to answer whether a region outlives constraint (like, 'a: 'b) would not hold in a way that doesn't actually commit to that constraint, at least not without tons of false positives based on how NLL computes lower bounds for all of the regions it deals with in the MIR.

To fix this would require some significant engineering effort to refactor how NLL processes its region graph to make it easier to clone and reprocess with new constraints.

making PRs to the affected public projects and working out a diagnostic that guides people in the right direction

By "diagnostic" here you refer to the hard error that shows in code this breaks?

@BoxyUwU @compiler-errors how practical is it to give a dedicated diagnostic for this case?

By "diagnostic" here you refer to the hard error that shows in code this breaks?

That's right.

@Manishearth You mentioned an FCW; my understanding has been that an FCW in this case is infeasible. I do agree with your assertion that this would make unsafe reviews harder.

@tmandry

Maybe I'm missing something, and part of the issue with this thread is that it's not always clear what changes specifically are being talked about.

But for the proposal on the table that is:

• Forbid some things entirely in as casts in safe rust
• Allow them in unsafe rust but unsafe rust writers need to worry about the precise usage pattern to avoid/trigger UB

It should be instead possible to forbid those things entirely in all as casts, and have an FCW/edition/whatever for them, since if it is possible to forbid a thing it should be possible to use the same mechanism to lint it.

If the FCW for forbidding such casts is impossible to write, then I ask: how are you going to forbid the operation completely in safe Rust as is the lang team's proposal?

@traviscross

On the substance here, we'll obviously take this back up on Wednesday. My estimate is that we're rather likely to readopt the original plan and to "stay the course" on that. We very nearly went that way last Wednesday.

Could you explicitly write down the "original plan"? This thread is rather self referential, the linked comment doesn't specify the plan, it refers to a previous comment which also isn't fully clear.

If the FCW for forbidding such casts is impossible to write, then I ask: how are you going to forbid the operation completely in safe Rust as is the lang team's proposal?

Because it amounts to literally running all of borrowck twice. It's not impossible to write, but it's prohibitively difficult to do and would require quite a lot of refactoring. Straight up denying it amounts to a few lines of change, as implemented in the PR today.

Could you explicitly write down the "original plan"?

It's what I went on to say. We do the breaking change along with a diagnostic on the error that tries to point people in the right direction and we make PRs to affected projects.

@traviscross there are multiple possible breaking changes in this thread, and multiple lints. I don't actually think anyone has precisely defined what is happening so far all in one place, instead referencing previous comments with wording like "the breaking change".

The breaking change is that casting *const dyn Trait + 'a to *const dyn Trait + 'b will now require 'a: 'b to hold, whereas previously these lifetimes were allowed to be entirely unrelated.

Hmm, from what I recall that specific example is possible to lint against in a late lint pass. There's a lot of talk of MIR borrowck when talking about feasability, maybe I'm missing something, but from clippy experience that seems implementable?

It's not just about that specific example, for the general case you need borrowck to check things like *const dyn Trait + '_ being cast to *const dyn Trait + '_ doesnt wind up doing something equivalent to that example.

I mean, yes, I understand it's not a simple AST match, but ultimately those are both TyKind::Dynamics, which does still retain the Region`. I can imagine there are a lot of corner case Regions that are not easily compared, but I was under the impression it's possible for the common cases. From digging deeper it seems like it's more complicated than that.

An FCW with a lot of false positives or false negatives is potentially still worth trying, though, if they don't end up triggering often.

@Manishearth The only part of the compiler that actually knows lifetimes is borrowck. So nothing outside borrowck can implement this lint as there's no way to actually get hold of the two lifetimes that have to outlive each other.

Inside borrowck, the way the hard error is implemented is to add this new constraint to the big sea of constraints that is gathered up during borrowck. Borrowck never explicitly materializes concrete lifetimes, all it does is gather constraints and then check if the constraint system is satisfiable. That makes it impossible to lint since when borrowck fails, it is entirely unclear whether it would have succeeded without that extra constraint.

Ah, I see. I was under the impression some of this information was available after MIR borrowck, but looking through clippy we don't actually do that. Fair enough.

(I may be operating on a model of things from before MIR borrowck)

We talked about this on the lang call today, and we'd like to unblock this in favor of proceeding with the original plan, which is that we plan to accept the breaking change as originally proposed in this PR subject to PRs being made to affected projects (already done) and an attempt being made to provide a diagnostic along with the hard error that will point people in the right direction on this as best as possible.

When this PR is ready, along those lines, please renominate it for us, and we'll propose lang + types FCP.

@rustbot labels -I-lang-nominated +I-lang-radar

I've pushed a first attempt at some special cased diagnostics for this breakage, it links to #141402 which could probably do with some work.

Oh another update: the metrics crate which was responsible for the vast majority of regressions has been fixed and had the fix backported to older versions too. I think may was also fixed in a non-major release. So both may and metrics users broken by this should be able to cargo update to be unbroken

☔ The latest upstream changes (presumably #143036) made this pull request unmergeable. Please resolve the merge conflicts.

It seems to me that all of the things requested in #136776 (comment) have been added.

@rustbot labels +I-lang-nominated -I-lang-radar