Privatize constructors of tuple structs with private fields

[petrochenkov]

This PR implements the strictest version of such "privatization" - it just sets visibilities for struct constructors, this affects everything including imports.

visibility(struct_ctor) = min(visibility(struct), visibility(field_1), ..., visibility(field_N))

Needs crater run before proceeding.

Resolves rust-lang/rfcs#902

r? @nikomatsakis

[nikomatsakis]

Kicked off a crater run.

[nikomatsakis]

Crater report: https://gist.github.com/nikomatsakis/1ab3b82ab09e83c587b6256c06da2b25

Root regressions, sorted by rank (checked means "investigated"):

• syntex_syntax-0.54.0 (before) (after)
• libflo-0.1.2 (before) (after)
• rotor-stream-0.6.2 (before) (after)
• appscraps_environment-0.1.0 (before) (after)
• jsonrpc-macros-0.1.0 (before) (after)
• betsy-0.1.3 (before) (after)
• qwk-0.1.3 (before) (after)
• radiant-rs-0.1.2 (before) (after)
• textwrap-0.3.0 (before) (after)
• gluon_language-server-0.2.0 (before) (after)

[petrochenkov]

There are 3 distinct regressions:
rotor-stream-0.6.2, radiant-rs-0.1.2 and syntex_syntax-0.54.0.
Other "root" regressions actually depend on older versions of syntex_syntax.

All the regressions can be minimized like this:

mod m {
    // Tuple struct with a private field.
    // Type S is pub(pub).
    // The field S::0 is pub(m).
    // Constructor S is min(pub(pub), pub(m)) -> pub(m).
    pub struct S(u8);
    
    fn f() {
        // Try to use S from the root module in value namespace.
        // No success, ::S exists only in type namespace.
        // How to fix: use S from this module instead of ::S from the root module.
        ::S;
    }
}

// This imports S only in type namespace, value S is too private.
// This is expected filtering behavior of imports described in RFC 1560.
use m::S;

fn main() {}

The semantics visibility(struct_ctor) = min(visibility(struct), visibility(field_1), ..., visibility(field_N)) is what I'd prefer to go for instead of just prohibiting private ctors in patterns. I'm interested in what @nrc and @jseyfried think about this.

Warning period may be non-trivial, but I'll try to look what inaccessible_extern_crate does and repeat it.

[nikomatsakis]

@petrochenkov nice analysis, interesting example. I too am curious what @jseyfried and @nrc think =)

cc @rust-lang/lang -- this has to do with the visibility of struct constructors, and the (somewhat odd, but at one time legal) pattern that breaks if you change it. Basically you could pub use the value namespace from a place that isn't allowed to use it, but only use from inside another module where it is legal to use it. This seems surprising.

[jseyfried]

I'm in favor of this solution -- I think it's the cleanest way to guarantee that e.g. pub struct S(u32); is indistinguishable from pub struct S { x: u32 } outside S's module.

To implement a warning cycle, I would

• not touch import resolution; I believe this PR is highly unlikely to break import resolution in practice
• after import resolution, warn iff
  • we can't resolve a value S in a given scope,
  • the type S in that scope resolves to a tuple struct, and
  • the tuple struct's constructor is visible.

[nrc]

I'm also in favour of this, seems like the sensible approach.

[nikomatsakis]

@petrochenkov -- it seems like there is a general 👍 to this approach. Are you pursuing code for a warning period? @jseyfried has some suggestions here.

[petrochenkov]

Yes, I'll update the PR in a few days.

[petrochenkov]

Updated with a compatibility lint (following the strategy from #38932 (comment)).
I've made the lint deny-by-default because it's really hacky and not entirely precise, and the number of regressions is small.

[bors]

☔ The latest upstream changes (presumably #39199) made this pull request unmergeable. Please resolve the merge conflicts.

[petrochenkov]

Rebased.

[bors]

☔ The latest upstream changes (presumably #39060) made this pull request unmergeable. Please resolve the merge conflicts.

[jseyfried]

r=me modulo comments

[jseyfried]

Could we inform the user here that the tuple struct constructor S is private?
We could use the same condition as the warning cycle, except that we would report if the constructor were not visible.

[petrochenkov]

Yeah, that would be useful, but I hoped to get rid of legacy_ctor_visibilities together with the compatibility lint.
What I don't like is that this table is filled on all successful runs, but is actually needed very rarely.
Is there any way to map struct's DefId into (ctor's DefId + ctor's ty::Visibility) on demand without building tables in advance?
It'll also require extending metadata reading interface to obtain the same mapping for other crates. I really dislike adding code through the compiler that is necessary only for reporting a single special note, but well...

[nikomatsakis]

I agree with @jseyfried that the warning seems nice

[jseyfried]

@petrochenkov

Is there any way to map struct's DefId into (ctor's DefId + ctor's ty::Visibility) on demand without building tables in advance?

We could simplify a little by mapping the struct's DefId to the ctor's &'a NameBinding<'a>, but we'd still be building an extra table.

To avoid that, we could add a variant

NameBindingKind::TupleStruct(Def, &'a NameBinding<'a> /* ctor */)

and use that for tuple struct type bindings instead of NameBindingKind::Def.
NameBindingKind is well encapsulated, so that shouldn't be too big of a change -- still might not be worth it though.

[jseyfried]

Do we need to make this deny-by-default, given that there are three breaking crates in the wild?
While the warning cycle is a bit hacky, I think the risk of "false positives" is very low.

[petrochenkov]

3 is small, no?
I preferred deny-by-default mostly to avoid successfully compiling more illegal code by default.

[nikomatsakis]

The policy is usually warn-by-default, then deny-by-default, no? But we can make an exception, though we should make an RFC bot request about it. Either way, we should contact the authors of the crates in question and/or submit PRs.

[nikomatsakis]

@rfcbot fcp merge

This is a fix to a privacy oversight that allows people to observe whether a tuple struct with a private field was defined as a tuple struct or not, something which was not intended to be public. The problem is that people can do let Foo(_) = ... only if the struct is defined as a tuple struct. The fix is to consider this illegal if the struct has only private fields.

The question is whether to make this a WARN-by-default or DENY-by-default lint. The usual policy would be warn-by-default. There are currently three root crates breaking in the wild. There are a lot of affected crates out there (285?) but I believe that most of those will be unaffected in short term because of cap-lints, though we will want to ensure they upgrade at some point.

• rotor-stream-0.6.2 (cc @tailhook)
• radiant-rs-0.1.2 (cc @sinesc)
• syntex_syntax-0.54.0 (any need for a cc here?)

Given the small number of affected crates, I think starting with deny-by-default is reasonable (in particular, since this can still be overridden by cap-lints, and so most crates should be unaffected until there is time to fix the problem). Hence the FCP "merge" request. But I'd like to hear others' opinions (including the authors of the affected crates).

cc @rust-lang/compiler @rust-lang/core

[rfcbot]

Team member @nikomatsakis has proposed to merge this. The next step is review by the rest of the tagged teams:

• @Aatch
• @arielb1
• @bkoropoff
• @dotdash
• @eddyb
• @michaelwoerister
• @nikomatsakis
• @nrc
• @pnkfelix

No concerns currently listed.

Once these reviewers reach consensus, this will enter its final comment period. If you spot a major issue that hasn't been raised at any point in this process, please speak up!

See this document for info about what commands tagged team members can give me.

[aturon]

Agreed that deny-by-default seems OK here. Glad to see this getting fixed!

[sinesc]

Regarding radiant, it looks like I just forgot a "super" here and it happens to work anyway because the root pub uses the struct as well. (?)
PR makes sense to me, assuming my understanding is correct :-)

[rfcbot]

🔔 This is now entering its final comment period, as per the review above. 🔔

[nikomatsakis]

r? @jseyfried

The code looks reasonable to me, but I think @jseyfried is better suited to really review this.

[jseyfried]

@petrochenkov r=me with the diagnostics improvement.

[petrochenkov]

Updated with better diagnostics.
I'm not sending this to bors, the FCP still continues. (for how long?)

[petrochenkov]

This is a compiletest bug. If one error has two labels, compiletest will require two "expected errors".

[aturon]

@petrochenkov

I'm not sending this to bors, the FCP still continues. (for how long?)

We're abusing RFC bot here (someday we want a mode just for getting team approval of a PR). There's not actually an FCP here; you can merge at any time.

[petrochenkov]

Excellent.
@bors r=jseyfried

[bors]

📌 Commit d38a8ad has been approved by jseyfried

[bors]

⌛ Testing commit d38a8ad with merge 558ea08...

[bors]

💔 Test failed - status-appveyor

[petrochenkov]

@bors retry
(curl failure)

[bors]

⌛ Testing commit d38a8ad with merge 8060de2...

[bors]

💔 Test failed - status-appveyor

[petrochenkov]

@bors retry
(the same curl failure)

[bors]

⌛ Testing commit d38a8ad with merge 5dc365f...

[bors]

💔 Test failed - status-travis

[petrochenkov]

That curl issue again.
Looks like something persistent.

[alexcrichton]

@bors: retry

…

On Wed, Feb 1, 2017 at 6:30 AM, Vadim Petrochenkov ***@***.*** > wrote: That curl issue again. Looks like something persistent. — You are receiving this because you are on a team that was mentioned. Reply to this email directly, view it on GitHub <#38932 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAD95LA10zE6MuS8yIfT-rZN7iSi7GNDks5rYJbqgaJpZM4Ld0MC> .

[bors]

⌛ Testing commit d38a8ad with merge 43e169e...

[bors]

💔 Test failed - status-travis

[alexcrichton]

@bors: retry * osx linker segfault #38878

…

On Wed, Feb 1, 2017 at 6:42 PM, bors ***@***.***> wrote: 💔 Test failed - status-travis <https://travis-ci.org/rust-lang/rust/builds/197495794> — You are receiving this because you are on a team that was mentioned. Reply to this email directly, view it on GitHub <#38932 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAD95CiOYSExNQCXLrazDUXU4O2HRSVuks5rYUJ-gaJpZM4Ld0MC> .

[bors]

⌛ Testing commit d38a8ad with merge 1b6b20a...

[bors]

☀️ Test successful - status-appveyor, status-travis
Approved by: jseyfried
Pushing 1b6b20a to master...