Merge pull request #117 from Rust-for-Linux/dev/unsound-fix-TAIT-next-solver

replace shadowed return token by `unsafe`-to-create token

Author: BennoLossin

internal/src/init.rs

@@ -148,11 +148,6 @@ pub(crate) fn expand(
     let init_fields = init_fields(&fields, pinned, &data, &slot);
     let field_check = make_field_check(&fields, init_kind, &path);
     Ok(quote! {{
-        // We do not want to allow arbitrary returns, so we declare this type as the `Ok` return
-        // type and shadow it later when we insert the arbitrary user code. That way there will be
-        // no possibility of returning without `unsafe`.
-        struct __InitOk;
-
         // Get the data about fields from the supplied type.
         // SAFETY: TODO
         let #data = unsafe {
@@ -162,18 +157,15 @@ pub(crate) fn expand(
             #path::#get_data()
         };
         // Ensure that `#data` really is of type `#data` and help with type inference:
-        let init = ::pin_init::__internal::#data_trait::make_closure::<_, __InitOk, #error>(
+        let init = ::pin_init::__internal::#data_trait::make_closure::<_, #error>(
             #data,
             move |slot| {
-                {
-                    // Shadow the structure so it cannot be used to return early.
-                    struct __InitOk;
-                    #zeroable_check
-                    #this
-                    #init_fields
-                    #field_check
-                }
-                Ok(__InitOk)
+                #zeroable_check
+                #this
+                #init_fields
+                #field_check
+                // SAFETY: we are the `init!` macro that is allowed to call this.
+                Ok(unsafe { ::pin_init::__internal::InitOk::new() })
             }
         );
         let init = move |slot| -> ::core::result::Result<(), #error> {

src/__internal.rs

@@ -46,6 +46,24 @@ where
     }
 }
 
+/// Token type to signify successful initialization.
+///
+/// Can only be constructed via the unsafe [`Self::new`] function. The initializer macros use this
+/// token type to prevent returning `Ok` from an initializer without initializing all fields.
+pub struct InitOk(());
+
+impl InitOk {
+    /// Creates a new token.
+    ///
+    /// # Safety
+    ///
+    /// This function may only be called from the `init!` macro in `../internal/src/init.rs`.
+    #[inline(always)]
+    pub unsafe fn new() -> Self {
+        Self(())
+    }
+}
+
 /// This trait is only implemented via the `#[pin_data]` proc-macro. It is used to facilitate
 /// the pin projections within the initializers.
 ///
@@ -68,9 +86,10 @@ pub unsafe trait PinData: Copy {
     type Datee: ?Sized + HasPinData;
 
     /// Type inference helper function.
-    fn make_closure<F, O, E>(self, f: F) -> F
+    #[inline(always)]
+    fn make_closure<F, E>(self, f: F) -> F
     where
-        F: FnOnce(*mut Self::Datee) -> Result<O, E>,
+        F: FnOnce(*mut Self::Datee) -> Result<InitOk, E>,
     {
         f
     }
@@ -98,9 +117,10 @@ pub unsafe trait InitData: Copy {
     type Datee: ?Sized + HasInitData;
 
     /// Type inference helper function.
-    fn make_closure<F, O, E>(self, f: F) -> F
+    #[inline(always)]
+    fn make_closure<F, E>(self, f: F) -> F
     where
-        F: FnOnce(*mut Self::Datee) -> Result<O, E>,
+        F: FnOnce(*mut Self::Datee) -> Result<InitOk, E>,
     {
         f
     }

tests/ui/compile-fail/init/early_return.rs

@@ -0,0 +1,14 @@
+use pin_init::*;
+
+struct Foo {
+    a: usize,
+}
+
+fn main() {
+    let _ = init!(Foo {
+        _: {
+            return Ok(());
+        },
+        a: 42,
+    });
+}

tests/ui/compile-fail/init/early_return.stderr

@@ -0,0 +1,36 @@
+error[E0308]: mismatched types
+  --> tests/ui/compile-fail/init/early_return.rs:10:23
+   |
+10 |             return Ok(());
+   |                    -- ^^ expected `InitOk`, found `()`
+   |                    |
+   |                    arguments to this enum variant are incorrect
+   |
+help: the type constructed contains `()` due to the type of the argument passed
+  --> tests/ui/compile-fail/init/early_return.rs:10:20
+   |
+10 |             return Ok(());
+   |                    ^^^--^
+   |                       |
+   |                       this argument influences the type of `Ok`
+note: tuple variant defined here
+  --> $RUST/core/src/result.rs
+   |
+   |     Ok(#[stable(feature = "rust1", since = "1.0.0")] T),
+   |     ^^
+
+warning: unreachable statement
+  --> tests/ui/compile-fail/init/early_return.rs:8:13
+   |
+ 8 |       let _ = init!(Foo {
+   |  _____________^
+ 9 | |         _: {
+10 | |             return Ok(());
+   | |             ------------- any code following this expression is unreachable
+11 | |         },
+12 | |         a: 42,
+13 | |     });
+   | |______^ unreachable statement
+   |
+   = note: `#[warn(unreachable_code)]` (part of `#[warn(unused)]`) on by default
+   = note: this warning originates in the macro `init` (in Nightly builds, run with -Z macro-backtrace for more info)

tests/ui/expand/simple-init.expanded.rs

@@ -2,24 +2,19 @@ use pin_init::*;
 struct Foo {}
 fn main() {
     let _ = {
-        struct __InitOk;
         let __data = unsafe {
             use ::pin_init::__internal::HasInitData;
             Foo::__init_data()
         };
         let init = ::pin_init::__internal::InitData::make_closure::<
             _,
-            __InitOk,
             ::core::convert::Infallible,
         >(
             __data,
             move |slot| {
-                {
-                    struct __InitOk;
-                    #[allow(unreachable_code, clippy::diverging_sub_expression)]
-                    let _ = || unsafe { ::core::ptr::write(slot, Foo {}) };
-                }
-                Ok(__InitOk)
+                #[allow(unreachable_code, clippy::diverging_sub_expression)]
+                let _ = || unsafe { ::core::ptr::write(slot, Foo {}) };
+                Ok(unsafe { ::pin_init::__internal::InitOk::new() })
             },
         );
         let init = move |