replace may dangle with 2 attributes

Author: lcnr

0000-template.md

@@ -1,97 +1,235 @@
-- Feature Name: (fill me in with a unique ident, `my_awesome_feature`)
+- Feature Name: (`dropck_eyepatch_v3`)
 - Start Date: (fill me in with today's date, YYYY-MM-DD)
 - RFC PR: [rust-lang/rfcs#0000](https://github.com/rust-lang/rfcs/pull/0000)
 - Rust Issue: [rust-lang/rust#0000](https://github.com/rust-lang/rust/issues/0000)
 
 # Summary
 [summary]: #summary
 
-One paragraph explanation of the feature.
+Cleanup the rules for implicit drops by splitting `#[may_dangle]` into two separate attributes
+`#[only_dropped]` and `#[fully_ignored]`. Change `PhantomData` to get completely ignored
+by dropck as its current behavior is confusing and inconsistent.
 
 # Motivation
 [motivation]: #motivation
 
-Why are we doing this? What use cases does it support? What is the expected outcome?
+The current rules around dropck and `#[may_dangle]` are confusing and have even resulted in
+unsoundness [multiple](https://github.com/rust-lang/rust/issues/76367)
+[times](https://github.com/rust-lang/rust/issues/99408). Even without `#[may_dangle]`,
+dropping `PhantomData` is currently quite weird as you get "spooky-dropck-at-a-distance":
+
+```rust
+use std::marker::PhantomData;
+struct PrintOnDrop<'a>(&'a str); // requires `'a` to be live on drop.
+impl Drop for PrintOnDrop<'_> {
+    fn drop(&mut self) {
+        println!("{}", self.0)
+    }
+}
+
+fn assign<T>(_: T) -> PhantomData<T> {
+    PhantomData
+}
+
+// The type of `_x` is `AdtNoDrop<'not_live>` which doesn't have drop glue, OK
+struct AdtNoDrop<'a>(PhantomData<PrintOnDrop<'a>>, u32);
+fn phantom_data_adt_no_drop() {
+    let _x;
+    {
+        let temp = String::from("temporary");
+        _x = AdtNoDrop(assign(PrintOnDrop(&temp)), 0);
+    }
+}
+
+// The type of `_x` is `AdtNoDrop<'not_live>` which has drop glue, ERROR
+struct AdtNeedsDrop<'a>(PhantomData<PrintOnDrop<'a>>, String);
+fn phantom_data_adt_needs_drop() {
+    let _x;
+    {
+        let temp = String::from("temporary");
+        _x = AdtNeedsDrop(assign(PrintOnDrop(&temp)), String::new());
+    }
+}
+```
+[playground](https://play.rust-lang.org/?version=stable&mode=debug&edition=2021&gist=9ce9d368d2f13df9ddcbfaf9580721e0)
 
 # Guide-level explanation
 [guide-level-explanation]: #guide-level-explanation
 
-Explain the proposal as if it was already included in the language and you were teaching it to another Rust programmer. That generally means:
+When a value goes out of scope the compiler adds drop glue for that value, recursively dropping it and all its fields.
+Dropping a type containing a lifetime which is no longer live is accepted if that lifetime is never accessed:
+```rust
+struct MyType<'s> {
+    reference: &'s str,
+    needs_drop: String,
+}
+fn can_drop_dead_reference() {
+    let _x;
+    {
+        let temp = String::from("I am only temporary");
+        _x = MyType {
+            reference: &temp,
+            needs_drop: String::from("I have to get dropped"),
+        };
+    }
+    // We drop `_x` here even though `reference` is no longer live.
+    //
+    // This is fine as dropping a reference is a noop and does not
+    // acess the pointee.
+}
+```
+The above example will however fail if we add a manual `Drop` impl as the compiler conservatively
+assumes that all generic parameters of the `Drop` impl are considered used:
+[playground](https://play.rust-lang.org/?version=stable&mode=debug&edition=2021&gist=e604bcaecb7b2b4cf7fd0440faf165ac).
+
+In case a manual `Drop` impl does not access a generic parameter, you can add
+`#[fully_unused]` or `#[only_dropped]` to that parameter. This **unsafely** asserts
+that the parameter is either completely unused when dropping your type or only
+recursively dropped.
+
+```rust
+struct MyType<'s> {
+    reference: &'s str,
+    needs_drop: String,
+}
+// The impl has to be `unsafe` as the compiler does may not check
+// that `'s` is actually unused.
+unsafe impl<#[only_dropped] 's> Drop for MyType<'s> {
+    fn drop(&mut self) {
+        // println!("{}", reference); // this would be unsound
+        println!("{}", needs_drop);
+    }
+}
+fn can_drop_dead_reference() {
+    let _x;
+    {
+        let temp = String::from("I am only temporary");
+        _x = MyType {
+            reference: &temp,
+            needs_drop: String::from("I have to get dropped"),
+        };
+    }
+    // We drop `_x` here even though `reference` is no longer live.
+    //
+    // This is accepted as `'s` is marked as `#[only_dropped]` in the
+    // `Drop` impl of `MyType`.
+}
+```
+
+The ability to differentiate between `#[fully_unused]` and `#[only_dropped]` is especially useful
+for type parameters, consider the following simplified types from the standard library:
+
+```rust
+pub struct BTreeMap<K, V> {
+    root: Option<Root<K, V>>,
+    length: usize,
+}
+
+unsafe impl<#[only_dropped] K, #[only_dropped] V> Drop for BTreeMap<K, V> {
+    fn drop(&mut self) {
+        // Recursively drops the key-value pairs but doesn't otherwise
+        // inspect them, so we can use `#[only_dropped]` here.
+        drop(unsafe {ptr::read(self) }.into_iter())
+    }
+}
+```
+
+A type where `#[fully_unused]` would be useful is a `Weak` pointer for a variant of `Rc`
+where the value is dropped when the last `Rc` goes out of scope. Dropping a `Weak` pointer
+would never access `T` in this case.
 
-- Introducing new named concepts.
-- Explaining the feature largely in terms of examples.
-- Explaining how Rust programmers should *think* about the feature, and how it should impact the way they use Rust. It should explain the impact as concretely as possible.
-- If applicable, provide sample error messages, deprecation warnings, or migration guidance.
-- If applicable, describe the differences between teaching this to existing Rust programmers and new Rust programmers.
-- Discuss how this impacts the ability to read, understand, and maintain Rust code. Code is read and modified far more often than written; will the proposed feature make code easier to maintain?
-
-For implementation-oriented RFCs (e.g. for compiler internals), this section should focus on how compiler contributors should think about the change, and give examples of its concrete impact. For policy RFCs, this section should provide an example-driven introduction to the policy, and explain its impact in concrete terms.
 
 # Reference-level explanation
 [reference-level-explanation]: #reference-level-explanation
 
-This is the technical portion of the RFC. Explain the design in sufficient detail that:
-
-- Its interaction with other features is clear.
-- It is reasonably clear how the feature would be implemented.
-- Corner cases are dissected by example.
-
-The section should return to the examples given in the previous section, and explain more fully how the detailed proposal makes those examples work.
+Whenever we use a value of a given type this type has to be **well-formed**, requiring
+that all lifetimes in this type are live. An exception to this is the implicit drop when
+a variable goes out of scope. While borrowck ensures that dropping the variable is safe,
+this does not necessarily require all lifetimes to be live.
+
+When implicitly dropping a variable of type `T`, liveness requirements are computed as follows:
+- If `T` does not have any drop glue, do not add any requirements.
+- If `T` is a trait object, `T` has to be live.
+- If `T` has an explicit `Drop` impl, require all generic argument to be live, unless
+    - they are marked with `#[fully_unused]`, in which case they are ignored,
+    - or they are marked with `#[only_dropped]`, in which case recurse into the generic argument.
+- Regardless of whether `T` implements `Drop`, recurse into all types *owned* by `T`:
+    - references, raw pointers, function pointers, function items and scalars do not own
+      anything. They are trivially drop.
+    - tuples and arrays consider their element types to be owned.
+    - all fields (of all variants) of ADTs are considered owned. We consider all variants
+      for enums. The only exception here is `ManuallyDrop<U>` which does not consider `U` to
+      be owned. `PhantomData<U>` does not have any fields and therefore also does not consider
+      `U` to be owned. 
+    - closures and generators consider their upvars to be owned.
+
+Checking drop impls may error for generic parameters which are known to be incorrectly marked:
+- `#[fully_unused]` parameters which are recursively owned
+- `#[only_dropped]` parameters which are required to be live by a recursively owned type
+
+This cannot catch all misuses, as the parameters can be incorrectly used by the `Drop` impl itself.
+We therefore require the impl to be marked as `unsafe`.
+
+## How this differs from the status quo
+
+Instead of `#[fully_unused]` and `#[only_dropped]`,there is only the `#[may_dangle]` attribute which
+skips the generic parameter. This is equivalent to the behavior of `#[fully_unused]` and relies on the recursion
+into types owned by `T` to figure out the correct constraints.
+
+`PhantomData<U>` currently considers `U` to be owned while not having drop glue itself. This means
+that `(PhantomData<PrintOnDrop<'s>>, String)` requires `'s` to be live while
+`(PhantomData<PrintOnDrop<'s>>, u32)` does not. The current behavior is required for get the
+behavior of `#[only_dropped]` for unowned parameters by adding `PhantomData` as a field.
+One can easily forget this, which caused the [unsound](https://github.com/rust-lang/rust/issues/76367)
+[issues](https://github.com/rust-lang/rust/issues/99408) mentioned above.
 
 # Drawbacks
 [drawbacks]: #drawbacks
 
-Why should we *not* do this?
+It requires an additional attribute when compared with `#[may_dangle]` and also proposes checks that the
+attributes are correctly used. This adds a small amount of implementation complexity to the compiler.
+These new attributes are still not fully checked by the compiler and require `unsafe`.
+
+This RFC does not explicitly exclude stabilizing these two attributes, as they are clearer and far less
+dangerous to use when compared with `#[may_dangle]`. Stabilizing these attributes will make it harder to
+stabilize a more general solution like type state.
 
 # Rationale and alternatives
 [rationale-and-alternatives]: #rationale-and-alternatives
 
-- Why is this design the best in the space of possible designs?
-- What other designs have been considered and what is the rationale for not choosing them?
-- What is the impact of not doing this?
-- If this is a language proposal, could this be done in a library or macro instead? Does the proposed change make Rust code easier or harder to read, understand, and maintain?
+The status quo of `#[may_dangle]` and "spooky-dropck-at-a-distance" is far from ideal and has already
+resulted in unsound issues. Documenting the current behavior makes is more difficult to change later
+while not officially documenting it is bound to lead to more issues and confusion going forward.
+It is therefore quite important to improve the status quo.
+
+A more general extension to deal with partially invalid types is far from trivial. We currently
+assume types to always be well-formed and any approach which generalizes `#[may_dangle]` will
+have huge consequences for how well-formedness is handled. This impacts many - often implicit -
+interactions and assumptions. It is highly unlikely that we will have the capacity for any such change
+in the near future. The benefits from such are change are also likely to be fairly limited while
+adding significant complexity.
 
 # Prior art
 [prior-art]: #prior-art
 
-Discuss prior art, both the good and the bad, in relation to this proposal.
-A few examples of what this can include are:
+`#[may_dangle]` is already a refinement of the previous `#[unsafe_destructor_blind_to_params]` attribute
+([RFC 1327](https://github.com/rust-lang/rfcs/pull/1327)).
 
-- For language, library, cargo, tools, and compiler proposals: Does this feature exist in other programming languages and what experience have their community had?
-- For community proposals: Is this done by some other community and what were their experiences with it?
-- For other teams: What lessons can we learn from what other communities have done here?
-- Papers: Are there any published papers or great posts that discuss this? If you have some relevant papers to refer to, this can serve as a more detailed theoretical background.
+There is also [RFC 3390](https://github.com/rust-lang/rfcs/pull/3390) which attempts to define a more
+general extension to replace `#[may_dangle]`. As mentioned in the rationale, such an approach is not
+feasable right now.
 
-This section is intended to encourage you as an author to think about the lessons from other languages, provide readers of your RFC with a fuller picture.
-If there is no prior art, that is fine - your ideas are interesting to us whether they are brand new or if it is an adaptation from other languages.
-
-Note that while precedent set by other languages is some motivation, it does not on its own motivate an RFC.
-Please also take into consideration that rust sometimes intentionally diverges from common language features.
 
 # Unresolved questions
 [unresolved-questions]: #unresolved-questions
 
-- What parts of the design do you expect to resolve through the RFC process before this gets merged?
-- What parts of the design do you expect to resolve through the implementation of this feature before stabilization?
-- What related issues do you consider out of scope for this RFC that could be addressed in the future independently of the solution that comes out of this RFC?
+Should these attributes remain purely unstable for use in the standard library or do we want
+to provide them to stable users?
+
 
 # Future possibilities
 [future-possibilities]: #future-possibilities
 
-Think about what the natural extension and evolution of your proposal would
-be and how it would affect the language and project as a whole in a holistic
-way. Try to use this section as a tool to more fully consider all possible
-interactions with the project and language in your proposal.
-Also consider how this all fits into the roadmap for the project
-and of the relevant sub-team.
-
-This is also a good place to "dump ideas", if they are out of scope for the
-RFC you are writing but otherwise related.
-
-If you have tried and cannot think of any future possibilities,
-you may simply state that you cannot think of anything.
+Extending or generalizing the dropck eyepatch... something something type state.
 
-Note that having something written down in the future-possibilities section
-is not a reason to accept the current or a future RFC; such notes should be
-in the section on motivation or rationale in this or subsequent RFCs.
-The section merely provides additional information.
+[`IndexVec`](https://doc.rust-lang.org/nightly/nightly-rustc/rustc_index/vec/struct.IndexVec.html)