Auto merge of #150681 - meithecatte:always-discriminate, r=JonathanBrouwer,Nadrieril

Make operational semantics of pattern matching independent of crate and module

The question of "when does matching an enum against a pattern of one of its variants read its discriminant" is currently an underspecified part of the language, causing weird behavior around borrowck, drop order, and UB.

Of course, in the common cases, the discriminant must be read to distinguish the variant of the enum, but currently the following exceptions are implemented:

1. If the enum has only one variant, we currently skip the discriminant read.
     - This has the advantage that single-variant enums behave the same way as structs in this regard.
     - However, it means that if the discriminant exists in the layout, we can't say that this discriminant being invalid is UB. This makes me particularly uneasy in its interactions with niches – consider the following example ([playground](https://play.rust-lang.org/?version=stable&mode=debug&edition=2024&gist=5904a6155cbdd39af4a2e7b1d32a9b1a)), where miri currently doesn't detect any UB (because the semantics don't specify any):

        <details><summary>Example 1</summary>

        ```rust
        #![allow(dead_code)]
        use core::mem::{size_of, transmute};
        
        #[repr(u8)]
        enum Inner {
            X(u8),
        }
        
        enum Outer {
            A(Inner),
            B(u8),
        }
        
        fn f(x: &Inner) {
            match x {
                Inner::X(v) => {
                    println!("{v}");
                }
            }
        }
        
        fn main() {
            assert_eq!(size_of::<Inner>(), 2);
            assert_eq!(size_of::<Outer>(), 2);
            let x = Outer::B(42);
            let y = &x;
            f(unsafe { transmute(y) });
        }
        ```

      </details>

2. For the purpose of the above, enums with marked with `#[non_exhaustive]` are always considered to have multiple variants when observed from foreign crates, but the actual number of variants is considered in the current crate.
    - This means that whether code has UB can depend on which crate it is in: #147722
    - In another case of `#[non_exhaustive]` affecting the runtime semantics, its presence or absence can change what gets captured by a closure, and by extension, the drop order: #147722 (comment)
    - Also at the above link, there is an example where removing `#[non_exhaustive]` can cause borrowck to suddenly start failing in another crate.
3. Moreover, we currently make a more specific check: we only read the discriminant if there is more than one *inhabited* variant in the enum.
    - This means that the semantics can differ between `foo<!>`, and a copy of `foo` where `T` was manually replaced with `!`: #146803
    - Moreover, due to the privacy rules for inhabitedness, it means that the semantics of code can depend on the *module* in which it is located.
    - Additionally, this inhabitedness rule is even uglier due to the fact that closure capture analysis needs to happen before we can determine whether types are uninhabited, which means that whether the discriminant read happens has a different answer specifically for capture analysis.
    - For the two above points, see the following example ([playground](https://play.rust-lang.org/?version=nightly&mode=debug&edition=2024&gist=a07d8a3ec0b31953942e96e2130476d9)):

        <details><summary>Example 2</summary>

        ```rust
        #![allow(unused)]
        
        mod foo {
            enum Never {}
            struct PrivatelyUninhabited(Never);
            pub enum A {
                V(String, String),
                Y(PrivatelyUninhabited),
            }
            
            fn works(mut x: A) {
                let a = match x {
                    A::V(ref mut a, _) => a,
                    _ => unreachable!(),
                };
                
                let b = match x {
                    A::V(_, ref mut b) => b,
                    _ => unreachable!(),
                };
            
                a.len(); b.len();
            }
            
            fn fails(mut x: A) {
                let mut f = || match x {
                    A::V(ref mut a, _) => (),
                    _ => unreachable!(),
                };
                
                let mut g = || match x {
                    A::V(_, ref mut b) => (),
                    _ => unreachable!(),
                };
            
                f(); g();
            }
        }
        
        use foo::A;
        
        fn fails(mut x: A) {
            let a = match x {
                A::V(ref mut a, _) => a,
                _ => unreachable!(),
            };
            
            let b = match x {
                A::V(_, ref mut b) => b,
                _ => unreachable!(),
            };
        
            a.len(); b.len();
        }
        
        
        fn fails2(mut x: A) {
            let mut f = || match x {
                A::V(ref mut a, _) => (),
                _ => unreachable!(),
            };
            
            let mut g = || match x {
                A::V(_, ref mut b) => (),
                _ => unreachable!(),
            };
        
            f(); g();
        }
        ```

        </details>

In light of the above, and following the discussion at #138961 and #147722, this PR ~~makes it so that, operationally, matching on an enum *always* reads its discriminant.~~ introduces the following changes to this behavior:

 - matching on a `#[non_exhaustive]` enum will always introduce a discriminant read, regardless of whether the enum is from an external crate
 - uninhabited variants now count just like normal ones, and don't get skipped in the checks

As per the discussion below, the resolution for point (1) above is that it should land as part of a separate PR, so that the subtler decision can be more carefully considered.

Note that this is a breaking change, due to the aforementioned changes in borrow checking behavior, new UB (or at least UB newly detected by miri), as well as drop order around closure captures. However, it seems to me that the combination of this PR with #138961 should have smaller real-world impact than #138961 by itself.

Fixes #142394 
Fixes #146590
Fixes #146803 (though already marked as duplicate)
Fixes parts of #147722
Fixes rust-lang/miri#4778

r? @Nadrieril @RalfJung 

@rustbot label +A-closures +A-patterns +T-opsem +T-lang

Author: bors

compiler/rustc_hir_typeck/src/expr_use_visitor.rs

@@ -819,14 +819,12 @@ impl<'tcx, Cx: TypeInformationCtxt<'tcx>, D: Delegate<'tcx>> ExprUseVisitor<'tcx
     /// The core driver for walking a pattern
     ///
     /// This should mirror how pattern-matching gets lowered to MIR, as
-    /// otherwise lowering will ICE when trying to resolve the upvars.
+    /// otherwise said lowering will ICE when trying to resolve the upvars.
     ///
     /// However, it is okay to approximate it here by doing *more* accesses than
     /// the actual MIR builder will, which is useful when some checks are too
-    /// cumbersome to perform here. For example, if after typeck it becomes
-    /// clear that only one variant of an enum is inhabited, and therefore a
-    /// read of the discriminant is not necessary, `walk_pat` will have
-    /// over-approximated the necessary upvar capture granularity.
+    /// cumbersome to perform here, because e.g. they require more typeck results
+    /// than available.
     ///
     /// Do note that discrepancies like these do still create obscure corners
     /// in the semantics of the language, and should be avoided if possible.
@@ -1853,26 +1851,13 @@ impl<'tcx, Cx: TypeInformationCtxt<'tcx>, D: Delegate<'tcx>> ExprUseVisitor<'tcx
     }
 
     /// Checks whether a type has multiple variants, and therefore, whether a
-    /// read of the discriminant might be necessary. Note that the actual MIR
-    /// builder code does a more specific check, filtering out variants that
-    /// happen to be uninhabited.
-    ///
-    /// Here, it is not practical to perform such a check, because inhabitedness
-    /// queries require typeck results, and typeck requires closure capture analysis.
-    ///
-    /// Moreover, the language is moving towards uninhabited variants still semantically
-    /// causing a discriminant read, so we *shouldn't* perform any such check.
-    ///
-    /// FIXME(never_patterns): update this comment once the aforementioned MIR builder
-    /// code is changed to be insensitive to inhhabitedness.
+    /// read of the discriminant might be necessary.
     #[instrument(skip(self, span), level = "debug")]
     fn is_multivariant_adt(&self, ty: Ty<'tcx>, span: Span) -> bool {
         if let ty::Adt(def, _) = self.cx.structurally_resolve_type(span, ty).kind() {
-            // Note that if a non-exhaustive SingleVariant is defined in another crate, we need
-            // to assume that more cases will be added to the variant in the future. This mean
-            // that we should handle non-exhaustive SingleVariant the same way we would handle
-            // a MultiVariant.
-            def.variants().len() > 1 || def.variant_list_has_applicable_non_exhaustive()
+            // We treat non-exhaustive enums the same independent of the crate they are
+            // defined in, to avoid differences in the operational semantics between crates.
+            def.variants().len() > 1 || def.is_variant_list_non_exhaustive()
         } else {
             false
         }

compiler/rustc_mir_build/src/builder/matches/match_pair.rs

@@ -291,22 +291,18 @@ impl<'tcx> MatchPairTree<'tcx> {
                 }
             }
 
-            PatKind::Variant { adt_def, variant_index, args, ref subpatterns } => {
+            PatKind::Variant { adt_def, variant_index, args: _, ref subpatterns } => {
                 let downcast_place = place_builder.downcast(adt_def, variant_index); // `(x as Variant)`
                 cx.field_match_pairs(&mut subpairs, extra_data, downcast_place, subpatterns);
 
-                let irrefutable = adt_def.variants().iter_enumerated().all(|(i, v)| {
-                    i == variant_index
-                        || !v.inhabited_predicate(cx.tcx, adt_def).instantiate(cx.tcx, args).apply(
-                            cx.tcx,
-                            cx.infcx.typing_env(cx.param_env),
-                            cx.def_id.into(),
-                        )
-                }) && !adt_def.variant_list_has_applicable_non_exhaustive();
-                if irrefutable {
-                    None
-                } else {
+                // We treat non-exhaustive enums the same independent of the crate they are
+                // defined in, to avoid differences in the operational semantics between crates.
+                let refutable =
+                    adt_def.variants().len() > 1 || adt_def.is_variant_list_non_exhaustive();
+                if refutable {
                     Some(TestableCase::Variant { adt_def, variant_index })
+                } else {
+                    None
                 }
             }
 

src/tools/miri/tests/fail/match/all_variants_uninhabited.rs

@@ -0,0 +1,25 @@
+#![allow(deref_nullptr)]
+
+enum Never {}
+
+fn main() {
+    unsafe {
+        match *std::ptr::null::<Result<Never, Never>>() {
+        //~^ ERROR: read discriminant of an uninhabited enum variant
+            Ok(_) => {
+                lol();
+            }
+            Err(_) => {
+                wut();
+            }
+        }
+    }
+}
+
+fn lol() {
+    println!("lol");
+}
+
+fn wut() {
+    println!("wut");
+}

src/tools/miri/tests/fail/match/all_variants_uninhabited.stderr

@@ -0,0 +1,13 @@
+error: Undefined Behavior: read discriminant of an uninhabited enum variant
+  --> tests/fail/match/all_variants_uninhabited.rs:LL:CC
+   |
+LL |         match *std::ptr::null::<Result<Never, Never>>() {
+   |               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Undefined Behavior occurred here
+   |
+   = help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior
+   = help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information
+
+note: some details are omitted, run with `MIRIFLAGS=-Zmiri-backtrace=full` for a verbose backtrace
+
+error: aborting due to 1 previous error
+

…/tests/fail/closures/deref-in-pattern.rs …/fail/match/closures/deref-in-pattern.rssrc/tools/miri/tests/fail/closures/deref-in-pattern.rs renamed to src/tools/miri/tests/fail/match/closures/deref-in-pattern.rs src/tools/miri/tests/fail/closures/deref-in-pattern.rs renamed to src/tools/miri/tests/fail/match/closures/deref-in-pattern.rs

@@ -1,5 +1,5 @@
 error: Undefined Behavior: constructing invalid value: encountered a dangling reference (use-after-free)
-  --> tests/fail/closures/deref-in-pattern.rs:LL:CC
+  --> tests/fail/match/closures/deref-in-pattern.rs:LL:CC
    |
 LL |       let _ = || {
    |  _____________^

…ts/fail/closures/deref-in-pattern.stderr …l/match/closures/deref-in-pattern.stderrsrc/tools/miri/tests/fail/closures/deref-in-pattern.stderr renamed to src/tools/miri/tests/fail/match/closures/deref-in-pattern.stderr src/tools/miri/tests/fail/closures/deref-in-pattern.stderr renamed to src/tools/miri/tests/fail/match/closures/deref-in-pattern.stderr

@@ -1,5 +1,5 @@
 error: Undefined Behavior: constructing invalid value: encountered a dangling reference (use-after-free)
-  --> tests/fail/closures/partial-pattern.rs:LL:CC
+  --> tests/fail/match/closures/partial-pattern.rs:LL:CC
    |
 LL |       let _ = || {
    |  _____________^

…i/tests/fail/closures/partial-pattern.rs …s/fail/match/closures/partial-pattern.rssrc/tools/miri/tests/fail/closures/partial-pattern.rs renamed to src/tools/miri/tests/fail/match/closures/partial-pattern.rs src/tools/miri/tests/fail/closures/partial-pattern.rs renamed to src/tools/miri/tests/fail/match/closures/partial-pattern.rs

@@ -1,5 +1,5 @@
 error: Undefined Behavior: read discriminant of an uninhabited enum variant
-  --> tests/fail/closures/uninhabited-variant.rs:LL:CC
+  --> tests/fail/match/closures/uninhabited-variant1.rs:LL:CC
    |
 LL |         match r {
    |               ^ Undefined Behavior occurred here
@@ -8,9 +8,9 @@ LL |         match r {
    = help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information
    = note: stack backtrace:
            0: main::{closure#0}
-               at tests/fail/closures/uninhabited-variant.rs:LL:CC
+               at tests/fail/match/closures/uninhabited-variant1.rs:LL:CC
            1: main
-               at tests/fail/closures/uninhabited-variant.rs:LL:CC
+               at tests/fail/match/closures/uninhabited-variant1.rs:LL:CC
 
 note: some details are omitted, run with `MIRIFLAGS=-Zmiri-backtrace=full` for a verbose backtrace