Condition handlers can unsoundly alias mutable stack variables

[brson]

In this example, keep_reading is mutable and aliased.

    fn read_to_end(&mut self) -> ~[u8] {
        let mut buf = vec::with_capacity(DEFAULT_BUF_SIZE);
        let mut keep_reading = true;
        do read_error::cond.trap(|e| {
            if e.kind == EndOfFile {
                keep_reading = false;
            }
        }).in {
            while keep_reading {
                self.push_bytes(&mut buf, DEFAULT_BUF_SIZE)
            }
        }
        return buf;
    }

[brson]

Although similar, I think finally doesn't have this problem because the regions are propagated correctly - finally is just a method call on a stack closure. Conditions though are unsafely put into TLS and presumably the region is lost from the returned condition object.

[nikomatsakis]

The real problem here is the problem described in this blog post. (#2202)

[nikomatsakis]

In particular, if we implemented the plan I had in mind, the variable would be "claimed" by both of the closures, leading to errors. This is a bit unfortunate, though, since in fact the code is probably safe.

[nikomatsakis]

Thinking about this a bit more, I imagine we could distinguish fairly easily between variables that are borrowed (e.g., &mut keep_reading or &keep_reading) and variables that are merely assigned to and written from. Doing so would allow a case like this to work.

[metajack]

visiting for triage. nominating for backwards compat.

[catamorphism]

Inherits from metabug. De-nominating

[alexcrichton]

Closed by 0ac6e5a (tests checked in as part of #12158)