#[may_dangle] attribute

src/librustc/hir/lowering.rs

@@ -408,6 +408,7 @@ impl<'a> LoweringContext<'a> {
             bounds: self.lower_bounds(&tp.bounds),
             default: tp.default.as_ref().map(|x| self.lower_ty(x)),
             span: tp.span,
+            pure_wrt_drop: tp.attrs.iter().any(|attr| attr.check_name("may_dangle")),
         }
     }
 
@@ -427,6 +428,7 @@ impl<'a> LoweringContext<'a> {
         hir::LifetimeDef {
             lifetime: self.lower_lifetime(&l.lifetime),
             bounds: self.lower_lifetimes(&l.bounds),
+            pure_wrt_drop: l.attrs.iter().any(|attr| attr.check_name("may_dangle")),
         }
     }
 

src/librustc/hir/mod.rs

@@ -95,6 +95,7 @@ impl fmt::Debug for Lifetime {
 pub struct LifetimeDef {
     pub lifetime: Lifetime,
     pub bounds: HirVec<Lifetime>,
+    pub pure_wrt_drop: bool,
 }
 
 /// A "Path" is essentially Rust's notion of a name; for instance:
@@ -290,6 +291,7 @@ pub struct TyParam {
     pub bounds: TyParamBounds,
     pub default: Option<P<Ty>>,
     pub span: Span,
+    pub pure_wrt_drop: bool,
 }
 
 /// Represents lifetimes and type parameters attached to a declaration
@@ -328,6 +330,36 @@ impl Generics {
     }
 }
 
+pub enum UnsafeGeneric {
+    Region(LifetimeDef, &'static str),
+    Type(TyParam, &'static str),
+}
+
+impl UnsafeGeneric {
+    pub fn attr_name(&self) -> &'static str {
+        match *self {
+            UnsafeGeneric::Region(_, s) => s,
+            UnsafeGeneric::Type(_, s) => s,
+        }
+    }
+}
+
+impl Generics {
+    pub fn carries_unsafe_attr(&self) -> Option<UnsafeGeneric> {
+        for r in &self.lifetimes {
+            if r.pure_wrt_drop {
+                return Some(UnsafeGeneric::Region(r.clone(), "may_dangle"));
+            }
+        }
+        for t in &self.ty_params {
+            if t.pure_wrt_drop {
+                return Some(UnsafeGeneric::Type(t.clone(), "may_dangle"));
+            }
+        }
+        return None;
+    }
+}
+
 /// A `where` clause in a definition
 #[derive(Clone, PartialEq, Eq, RustcEncodable, RustcDecodable, Hash, Debug)]
 pub struct WhereClause {

src/librustc/infer/error_reporting.rs

@@ -1226,16 +1226,17 @@ impl<'a, 'gcx, 'tcx> Rebuilder<'a, 'gcx, 'tcx> {
                          lifetime: hir::Lifetime,
                          region_names: &HashSet<ast::Name>)
                          -> hir::HirVec<hir::TyParam> {
-        ty_params.iter().map(|ty_param| {
-            let bounds = self.rebuild_ty_param_bounds(ty_param.bounds.clone(),
+        ty_params.into_iter().map(|ty_param| {
+            let bounds = self.rebuild_ty_param_bounds(ty_param.bounds,
                                                       lifetime,
                                                       region_names);
             hir::TyParam {
                 name: ty_param.name,
                 id: ty_param.id,
                 bounds: bounds,
-                default: ty_param.default.clone(),
+                default: ty_param.default,
                 span: ty_param.span,
+                pure_wrt_drop: ty_param.pure_wrt_drop,
             }
         }).collect()
     }
@@ -1295,7 +1296,9 @@ impl<'a, 'gcx, 'tcx> Rebuilder<'a, 'gcx, 'tcx> {
         let mut lifetimes = Vec::new();
         for lt in add {
             lifetimes.push(hir::LifetimeDef { lifetime: *lt,
-                                              bounds: hir::HirVec::new() });
+                                              bounds: hir::HirVec::new(),
+                                              pure_wrt_drop: false,
+            });
         }
         for lt in &generics.lifetimes {
             if keep.contains(&lt.lifetime.name) ||

src/librustc/ty/mod.rs

@@ -680,6 +680,11 @@ pub struct TypeParameterDef<'tcx> {
     pub default_def_id: DefId, // for use in error reporing about defaults
     pub default: Option<Ty<'tcx>>,
     pub object_lifetime_default: ObjectLifetimeDefault<'tcx>,
+
+    /// `pure_wrt_drop`, set by the (unsafe) `#[may_dangle]` attribute
+    /// on generic parameter `T`, asserts data behind the parameter
+    /// `T` won't be accessed during the parent type's `Drop` impl.
+    pub pure_wrt_drop: bool,
 }
 
 #[derive(Clone, RustcEncodable, RustcDecodable)]
@@ -688,6 +693,11 @@ pub struct RegionParameterDef<'tcx> {
     pub def_id: DefId,
     pub index: u32,
     pub bounds: Vec<&'tcx ty::Region>,
+
+    /// `pure_wrt_drop`, set by the (unsafe) `#[may_dangle]` attribute
+    /// on generic parameter `'a`, asserts data of lifetime `'a`
+    /// won't be accessed during the parent type's `Drop` impl.
+    pub pure_wrt_drop: bool,
 }
 
 impl<'tcx> RegionParameterDef<'tcx> {

src/librustc/ty/structural_impls.rs

@@ -716,6 +716,7 @@ impl<'tcx> TypeFoldable<'tcx> for ty::TypeParameterDef<'tcx> {
             default: self.default.fold_with(folder),
             default_def_id: self.default_def_id,
             object_lifetime_default: self.object_lifetime_default.fold_with(folder),
+            pure_wrt_drop: self.pure_wrt_drop,
         }
     }
 
@@ -754,6 +755,7 @@ impl<'tcx> TypeFoldable<'tcx> for ty::RegionParameterDef<'tcx> {
             def_id: self.def_id,
             index: self.index,
             bounds: self.bounds.fold_with(folder),
+            pure_wrt_drop: self.pure_wrt_drop,
         }
     }
 

src/librustc_typeck/check/dropck.rs

@@ -402,16 +402,27 @@ fn iterate_over_potentially_unsafe_regions_in_type<'a, 'b, 'gcx, 'tcx>(
     // unbounded type parameter `T`, we must resume the recursive
     // analysis on `T` (since it would be ignored by
     // type_must_outlive).
-    if has_dtor_of_interest(tcx, ty) {
-        debug!("iterate_over_potentially_unsafe_regions_in_type \
-                {}ty: {} - is a dtorck type!",
-               (0..depth).map(|_| ' ').collect::<String>(),
-               ty);
-
-        cx.rcx.type_must_outlive(infer::SubregionOrigin::SafeDestructor(cx.span),
-                                 ty, tcx.mk_region(ty::ReScope(cx.parent_scope)));
-
-        return Ok(());
+    let dropck_kind = has_dtor_of_interest(tcx, ty);
+    debug!("iterate_over_potentially_unsafe_regions_in_type \
+            ty: {:?} dropck_kind: {:?}", ty, dropck_kind);
+    match dropck_kind {
+        DropckKind::NoBorrowedDataAccessedInMyDtor => {
+            // The maximally blind attribute.
+        }
+        DropckKind::BorrowedDataMustStrictlyOutliveSelf => {
+            cx.rcx.type_must_outlive(infer::SubregionOrigin::SafeDestructor(cx.span),
+                                     ty, tcx.mk_region(ty::ReScope(cx.parent_scope)));
+            return Ok(());
+        }
+        DropckKind::RevisedSelf(revised_ty) => {
+            cx.rcx.type_must_outlive(infer::SubregionOrigin::SafeDestructor(cx.span),
+                                     revised_ty, tcx.mk_region(ty::ReScope(cx.parent_scope)));
+            // Do not return early from this case; we want
+            // to recursively process the internal structure of Self
+            // (because even though the Drop for Self has been asserted
+            //  safe, the types instantiated for the generics of Self
+            //  may themselves carry dropck constraints.)
+        }
     }
 
     debug!("iterate_over_potentially_unsafe_regions_in_type \
@@ -492,16 +503,81 @@ fn iterate_over_potentially_unsafe_regions_in_type<'a, 'b, 'gcx, 'tcx>(
     }
 }
 
+#[derive(Copy, Clone, PartialEq, Eq, Debug)]
+enum DropckKind<'tcx> {
+    /// The "safe" kind; i.e. conservatively assume any borrow
+    /// accessed by dtor, and therefore such data must strictly
+    /// outlive self.
+    ///
+    /// Equivalent to RevisedTy with no change to the self type.
+    ///
+    /// FIXME: this name may not be general enough; it should be
+    /// talking about Phantom lifetimes rather than just borrows.
+    ///
+    /// (actually, pnkfelix is not 100% sure that's the right
+    /// viewpoint.  If I'm holding a phantom lifetime just to
+    /// constrain a reference type that occurs solely in *negative*
+    /// type positions, then my destructor cannot itself ever actually
+    /// access such references, right? And don't we end up essentially
+    /// requring people to put a fake borrow inside a PhantomData in
+    /// order to make phantom lifetimes work anyway?)
+    BorrowedDataMustStrictlyOutliveSelf,
+
+    /// The nearly completely-unsafe kind.
+    ///
+    /// Equivalent to RevisedSelf with *all* parameters remapped to ()
+    /// (maybe...?)
+    NoBorrowedDataAccessedInMyDtor,
+
+    /// Assume all borrowed data access by dtor occurs as if Self has the
+    /// type carried by this variant. In practice this means that some
+    /// of the type parameters are remapped to `()`, because the developer
+    /// has asserted that the destructor will not access their contents.
+    RevisedSelf(Ty<'tcx>),
+}
+
+/// Returns the classification of what kind of check should be applied
+/// to `ty`, which may include a revised type where some of the type
+/// parameters are re-mapped to `()` to reflect the destructor's
+/// "purity" with respect to their actual contents.
 fn has_dtor_of_interest<'a, 'gcx, 'tcx>(tcx: TyCtxt<'a, 'gcx, 'tcx>,
-                                        ty: Ty<'tcx>) -> bool {
+                                        ty: Ty<'tcx>) -> DropckKind<'tcx> {
     match ty.sty {
-        ty::TyAdt(def, _) => {
-            def.is_dtorck(tcx)
+        ty::TyAdt(adt_def, substs) => {
+            if !adt_def.is_dtorck(tcx) {
+                return DropckKind::NoBorrowedDataAccessedInMyDtor;
+            }
+
+            // Find the `impl<..> Drop for _` to inspect any
+            // attributes attached to the impl's generics.
+            let opt_dtor_method = adt_def.destructor();
+            let dtor_method = if let Some(dtor_method) = opt_dtor_method {
+                dtor_method
+            } else {
+                return DropckKind::BorrowedDataMustStrictlyOutliveSelf;
+            };
+            let method = tcx.impl_or_trait_item(dtor_method);
+            let substs = Substs::for_item(tcx,
+                                          method.container().id(),
+                                          |def, _| if def.pure_wrt_drop {
+                                              tcx.mk_region(ty::ReStatic)
+                                          } else {
+                                              substs.region_for_def(def)
+                                          },
+                                          |def, _| if def.pure_wrt_drop {
+                                              tcx.mk_nil()
+                                          } else {
+                                              substs.type_for_def(def)
+                                          });
+            let revised_ty = tcx.mk_adt(adt_def, &substs);
+            return DropckKind::RevisedSelf(revised_ty);
         }
         ty::TyTrait(..) | ty::TyProjection(..) | ty::TyAnon(..) => {
             debug!("ty: {:?} isn't known, and therefore is a dropck type", ty);
-            true
+            return DropckKind::BorrowedDataMustStrictlyOutliveSelf;
         },
-        _ => false
+        _ => {
+            return DropckKind::NoBorrowedDataAccessedInMyDtor;
+        }
     }
 }

src/librustc_typeck/coherence/unsafety.rs

@@ -13,7 +13,7 @@
 
 use rustc::ty::TyCtxt;
 use rustc::hir::intravisit;
-use rustc::hir;
+use rustc::hir::{self, Unsafety};
 
 pub fn check<'a, 'tcx>(tcx: TyCtxt<'a, 'tcx, 'tcx>) {
     let mut orphan = UnsafetyChecker { tcx: tcx };
@@ -27,6 +27,7 @@ struct UnsafetyChecker<'cx, 'tcx: 'cx> {
 impl<'cx, 'tcx, 'v> UnsafetyChecker<'cx, 'tcx> {
     fn check_unsafety_coherence(&mut self,
                                 item: &'v hir::Item,
+                                impl_generics: Option<&hir::Generics>,
                                 unsafety: hir::Unsafety,
                                 polarity: hir::ImplPolarity) {
         match self.tcx.impl_trait_ref(self.tcx.map.local_def_id(item.id)) {
@@ -47,33 +48,44 @@ impl<'cx, 'tcx, 'v> UnsafetyChecker<'cx, 'tcx> {
 
             Some(trait_ref) => {
                 let trait_def = self.tcx.lookup_trait_def(trait_ref.def_id);
-                match (trait_def.unsafety, unsafety, polarity) {
-                    (hir::Unsafety::Unsafe, hir::Unsafety::Unsafe, hir::ImplPolarity::Negative) => {
+                let unsafe_attr = impl_generics.and_then(|g| g.carries_unsafe_attr());
+                match (trait_def.unsafety, unsafe_attr, unsafety, polarity) {
+                    (_, _, Unsafety::Unsafe, hir::ImplPolarity::Negative) => {
                         span_err!(self.tcx.sess,
                                   item.span,
                                   E0198,
                                   "negative implementations are not unsafe");
                     }
 
-                    (hir::Unsafety::Normal, hir::Unsafety::Unsafe, _) => {
+                    (Unsafety::Normal, None, Unsafety::Unsafe, _) => {
                         span_err!(self.tcx.sess,
                                   item.span,
                                   E0199,
                                   "implementing the trait `{}` is not unsafe",
                                   trait_ref);
                     }
 
-                    (hir::Unsafety::Unsafe, hir::Unsafety::Normal, hir::ImplPolarity::Positive) => {
+                    (Unsafety::Unsafe, _, Unsafety::Normal, hir::ImplPolarity::Positive) => {
                         span_err!(self.tcx.sess,
                                   item.span,
                                   E0200,
                                   "the trait `{}` requires an `unsafe impl` declaration",
                                   trait_ref);
                     }
 
-                    (hir::Unsafety::Unsafe, hir::Unsafety::Normal, hir::ImplPolarity::Negative) |
-                    (hir::Unsafety::Unsafe, hir::Unsafety::Unsafe, hir::ImplPolarity::Positive) |
-                    (hir::Unsafety::Normal, hir::Unsafety::Normal, _) => {
+                    (Unsafety::Normal, Some(g), Unsafety::Normal, hir::ImplPolarity::Positive) =>
+                    {
+                        span_err!(self.tcx.sess,
+                                  item.span,
+                                  E0569,
+                                  "requires an `unsafe impl` declaration due to `#[{}]` attribute",
+                                  g.attr_name());
+                    }
+
+                    (_, _, Unsafety::Normal, hir::ImplPolarity::Negative) |
+                    (Unsafety::Unsafe, _, Unsafety::Unsafe, hir::ImplPolarity::Positive) |
+                    (Unsafety::Normal, Some(_), Unsafety::Unsafe, hir::ImplPolarity::Positive) |
+                    (Unsafety::Normal, None, Unsafety::Normal, _) => {
                         // OK
                     }
                 }
@@ -86,10 +98,10 @@ impl<'cx, 'tcx, 'v> intravisit::Visitor<'v> for UnsafetyChecker<'cx, 'tcx> {
     fn visit_item(&mut self, item: &'v hir::Item) {
         match item.node {
             hir::ItemDefaultImpl(unsafety, _) => {
-                self.check_unsafety_coherence(item, unsafety, hir::ImplPolarity::Positive);
+                self.check_unsafety_coherence(item, None, unsafety, hir::ImplPolarity::Positive);
             }
-            hir::ItemImpl(unsafety, polarity, ..) => {
-                self.check_unsafety_coherence(item, unsafety, polarity);
+            hir::ItemImpl(unsafety, polarity, ref generics, ..) => {
+                self.check_unsafety_coherence(item, Some(generics), unsafety, polarity);
             }
             _ => {}
         }

src/librustc_typeck/collect.rs

@@ -1482,6 +1482,7 @@ fn generics_of_def_id<'a, 'tcx>(ccx: &CrateCtxt<'a, 'tcx>,
                             default_def_id: tcx.map.local_def_id(parent),
                             default: None,
                             object_lifetime_default: ty::ObjectLifetimeDefault::BaseDefault,
+                            pure_wrt_drop: false,
                         };
                         tcx.ty_param_defs.borrow_mut().insert(param_id, def.clone());
                         opt_self = Some(def);
@@ -1526,7 +1527,8 @@ fn generics_of_def_id<'a, 'tcx>(ccx: &CrateCtxt<'a, 'tcx>,
                 def_id: tcx.map.local_def_id(l.lifetime.id),
                 bounds: l.bounds.iter().map(|l| {
                     ast_region_to_region(tcx, l)
-                }).collect()
+                }).collect(),
+                pure_wrt_drop: l.pure_wrt_drop,
             }
         }).collect::<Vec<_>>();
 
@@ -1926,6 +1928,7 @@ fn get_or_create_type_parameter_def<'a,'tcx>(ccx: &CrateCtxt<'a,'tcx>,
         default_def_id: ccx.tcx.map.local_def_id(parent),
         default: default,
         object_lifetime_default: object_lifetime_default,
+        pure_wrt_drop: param.pure_wrt_drop,
     };
 
     if def.name == keywords::SelfType.name() {

src/librustc_typeck/diagnostics.rs

@@ -2819,6 +2819,23 @@ not a distinct static type. Likewise, it's not legal to attempt to
 behavior for specific enum variants.
 "##,
 
+E0569: r##"
+If an impl has a generic parameter with the `#[may_dangle]` attribute, then
+that impl must be declared as an `unsafe impl. For example:
+
+```compile_fail,E0569
+struct Foo<X>(X);
+impl<#[may_dangle] X> Drop for Foo {
+    fn drop(&mut self) { }
+}
+```
+
+In this example, we are asserting that the destructor for `Foo` will not
+access any data of type `X`, and require this assertion to be true for
+overall safety in our program. The compiler does not currently attempt to
+verify this assertion; therefore we must tag this `impl` as unsafe.
+"##,
+
 E0318: r##"
 Default impls for a trait must be located in the same crate where the trait was
 defined. For more information see the [opt-in builtin traits RFC](https://github