Rollup merge of rust-lang#77663 - HeroicKatora:regression-tests-27675…

…-object-safe, r=Aaron1011 Add compile fail test for issue 27675 A recently merged PR (rust-lang#73905) strengthened the checks on bounds of associated items. This rejects the attack path of rust-lang#27675 which consisted of constructing a `dyn Trait<Item=T>` where `T` would not fulfill the bounds required on `Item` of the `Trait` behind the dyn object. This regression test, extracted from [the weaponized instance](rust-lang#27675 (comment)), checks that this is rejected.
Dylan-DPC-zz · Oct 8, 2020 · 45a34fc · 45a34fc
2 parents fbe8728 + ea206f2
commit 45a34fc
Showing 1 changed file with 19 additions and 0 deletions.
diff --git a/src/test/compile-fail/issue-27675-unchecked-bounds.rs b/src/test/compile-fail/issue-27675-unchecked-bounds.rs
@@ -0,0 +1,19 @@
+/// The compiler previously did not properly check the bound of `From` when it was used from type
+/// of the dyn trait object (use in `copy_any` below). Since the associated type is under user
+/// control in this usage, the compiler could be tricked to believe any type implemented any trait.
+/// This would ICE, except for pure marker traits like `Copy`. It did not require providing an
+/// instance of the dyn trait type, only name said type.
+trait Setup {
+    type From: Copy;
+}
+
+fn copy<U: Setup + ?Sized>(from: &U::From) -> U::From {
+    *from
+}
+
+pub fn copy_any<T>(t: &T) -> T {
+    copy::<dyn Setup<From=T>>(t)
+    //~^ ERROR the trait bound `T: Copy` is not satisfied
+}
+
+fn main() {}