Do not drop moved-out owned locals at the move site

claude · coord-e · commit 115a8e04372e · 2026-05-22T01:15:14.000+09:00
Fixes #41. A closure capturing `&mut` stored in a tuple/struct field made thrust derive a contradictory environment and unsoundly accept programs that can panic. The drop-point analysis treats a local's last use as its drop site. For a value moved into an aggregate (e.g. a closure moved into a tuple), this dropped the moved-out temporary at the move site, prematurely resolving the captured reference's prophecy (final == current) to its construction value. The later call mutating through the closure then contradicted that, making the environment inconsistent and any following assertion vacuously "safe". Owned (non-reference) locals whose ownership is transferred away by a move are now excluded from the drop set: their drop obligation belongs to the destination. Moved references are left untouched since ReborrowVisitor/ RustCallVisitor turn them into reborrows, so the source remains live. https://claude.ai/code/session_01HHar2z2xTNwffns5SF7wRe cargo fmt https://claude.ai/code/session_01HHar2z2xTNwffns5SF7wRe Pair closure_field_mut with a passing counterpart Add tests/ui/pass/closure_field_mut.rs asserting the true post-condition (call_count == 1) and switch the fail case to the mutation-dependent assert!(call_count == 0), so the pair directly demonstrates that the field closure's mutation is tracked rather than only that the spurious contradiction is gone. https://claude.ai/code/session_01HHar2z2xTNwffns5SF7wRe
diff --git a/src/analyze/basic_block/drop_point.rs b/src/analyze/basic_block/drop_point.rs
@@ -57,6 +57,47 @@ pub struct DropPointsBuilder<'mir, 'tcx> {
     bb_ins_cache: HashMap<BasicBlock, DenseBitSet<Local>>,
 }
 
+/// Locals whose ownership is fully transferred away by the statement (or
+/// terminator) at `statement_index`. Such a local is left uninitialized, so its
+/// drop obligation (including resolving any mutable-borrow prophecies it owns)
+/// moves to the destination and it must not be dropped at the move site.
+///
+/// Only owned (non-reference) operands are reported: `move`d references are
+/// turned into reborrows by `ReborrowVisitor`/`RustCallVisitor`, so the source
+/// local remains live and must still be dropped.
+fn moved_locals<'tcx>(
+    body: &Body<'tcx>,
+    bb: BasicBlock,
+    statement_index: usize,
+) -> DenseBitSet<Local> {
+    struct Visitor<'a, 'tcx> {
+        body: &'a Body<'tcx>,
+        locals: DenseBitSet<Local>,
+    }
+    impl<'tcx> mir::visit::Visitor<'tcx> for Visitor<'_, 'tcx> {
+        fn visit_operand(&mut self, operand: &mir::Operand<'tcx>, _location: mir::Location) {
+            if let mir::Operand::Move(place) = operand {
+                if place.projection.is_empty() && !self.body.local_decls[place.local].ty.is_ref() {
+                    self.locals.insert(place.local);
+                }
+            }
+        }
+    }
+    let mut visitor = Visitor {
+        body,
+        locals: DenseBitSet::new_empty(body.local_decls.len()),
+    };
+    let loc = mir::Location::START;
+    let data = &body.basic_blocks[bb];
+    use mir::visit::Visitor as _;
+    if statement_index < data.statements.len() {
+        visitor.visit_statement(&data.statements[statement_index], loc);
+    } else if let Some(tmnt) = &data.terminator {
+        visitor.visit_terminator(tmnt, loc);
+    }
+    visitor.locals
+}
+
 fn def_local<'tcx>(data: &mir::BasicBlockData<'tcx>, statement_index: usize) -> Option<Local> {
     struct Visitor {
         local: Option<Local>,
@@ -135,6 +176,7 @@ impl<'mir, 'tcx> DropPointsBuilder<'mir, 'tcx> {
                     t.insert(def);
                 }
                 t.subtract(&last_live_locals);
+                t.subtract(&moved_locals(self.body, bb, statement_index));
                 t
             };
             last_live_locals = live_locals;
diff --git a/tests/ui/fail/closure_field_mut.rs b/tests/ui/fail/closure_field_mut.rs
@@ -0,0 +1,26 @@
+//@error-in-other-file: Unsat
+//@compile-flags: -C debug-assertions=off
+
+// Fail counterpart of tests/ui/pass/closure_field_mut.rs.
+// Regression test for https://github.com/coord-e/thrust/issues/41.
+//
+// A closure capturing `&mut` stored in a tuple field used to make thrust derive
+// a contradictory environment: the moved-out closure temporary was dropped at
+// its move site, prematurely resolving the captured reference's prophecy to its
+// construction value, which then contradicted the mutation performed by the
+// call. That contradiction unsoundly proved any following assertion (including
+// the issue's original `assert!(false)`) unreachable.
+//
+// The closure sets `call_count` to 1, so the assertion below must be rejected.
+
+fn main() {
+    let mut call_count = 0;
+    let mut s = (
+        || {
+            call_count = 1;
+        },
+        0,
+    );
+    (s.0)();
+    assert!(call_count == 0);
+}
diff --git a/tests/ui/pass/closure_field_mut.rs b/tests/ui/pass/closure_field_mut.rs
@@ -0,0 +1,21 @@
+//@check-pass
+//@compile-flags: -C debug-assertions=off
+
+// Pass counterpart of tests/ui/fail/closure_field_mut.rs.
+// Regression test for https://github.com/coord-e/thrust/issues/41.
+//
+// A closure capturing `&mut` stored in a tuple field mutates the captured
+// variable when called through the field. thrust must track that mutation, so
+// the (true) post-condition below verifies.
+
+fn main() {
+    let mut call_count = 0;
+    let mut s = (
+        || {
+            call_count = 1;
+        },
+        0,
+    );
+    (s.0)();
+    assert!(call_count == 1);
+}
