| // Copyright 2012-2014 The Rust Project Developers. See the COPYRIGHT |
| // file at the top-level directory of this distribution and at |
| // http://rust-lang.org/COPYRIGHT. |
| // |
| // Licensed under the Apache License, Version 2.0 <LICENSE-APACHE or |
| // http://www.apache.org/licenses/LICENSE-2.0> or the MIT license |
| // <LICENSE-MIT or http://opensource.org/licenses/MIT>, at your |
| // option. This file may not be copied, modified, or distributed |
| // except according to those terms. |
| |
| #![crate_name = "rustc_privacy"] |
| #![unstable(feature = "rustc_private", issue = "27812")] |
| #![crate_type = "dylib"] |
| #![crate_type = "rlib"] |
| #![doc(html_logo_url = "https://www.rust-lang.org/logos/rust-logo-128x128-blk-v2.png", |
| html_favicon_url = "https://doc.rust-lang.org/favicon.ico", |
| html_root_url = "https://doc.rust-lang.org/nightly/")] |
| #![cfg_attr(not(stage0), deny(warnings))] |
| |
| #![feature(rustc_diagnostic_macros)] |
| #![feature(rustc_private)] |
| #![feature(staged_api)] |
| |
| extern crate rustc; |
| #[macro_use] extern crate syntax; |
| extern crate syntax_pos; |
| |
| use rustc::dep_graph::DepNode; |
| use rustc::hir::{self, PatKind}; |
| use rustc::hir::def::{self, Def}; |
| use rustc::hir::def_id::DefId; |
| use rustc::hir::intravisit::{self, Visitor}; |
| use rustc::hir::pat_util::EnumerateAndAdjustIterator; |
| use rustc::lint; |
| use rustc::middle::privacy::{AccessLevel, AccessLevels}; |
| use rustc::ty::{self, TyCtxt}; |
| use rustc::util::nodemap::NodeSet; |
| use syntax::ast; |
| use syntax_pos::Span; |
| |
| use std::cmp; |
| use std::mem::replace; |
| |
| pub mod diagnostics; |
| |
| //////////////////////////////////////////////////////////////////////////////// |
| /// The embargo visitor, used to determine the exports of the ast |
| //////////////////////////////////////////////////////////////////////////////// |
| |
| struct EmbargoVisitor<'a, 'tcx: 'a> { |
| tcx: TyCtxt<'a, 'tcx, 'tcx>, |
| export_map: &'a def::ExportMap, |
| |
| // Accessibility levels for reachable nodes |
| access_levels: AccessLevels, |
| // Previous accessibility level, None means unreachable |
| prev_level: Option<AccessLevel>, |
| // Have something changed in the level map? |
| changed: bool, |
| } |
| |
| struct ReachEverythingInTheInterfaceVisitor<'b, 'a: 'b, 'tcx: 'a> { |
| ev: &'b mut EmbargoVisitor<'a, 'tcx>, |
| } |
| |
| impl<'a, 'tcx> EmbargoVisitor<'a, 'tcx> { |
| fn ty_level(&self, ty: &hir::Ty) -> Option<AccessLevel> { |
| if let hir::TyPath(..) = ty.node { |
| match self.tcx.expect_def(ty.id) { |
| Def::PrimTy(..) | Def::SelfTy(..) | Def::TyParam(..) => { |
| Some(AccessLevel::Public) |
| } |
| def => { |
| if let Some(node_id) = self.tcx.map.as_local_node_id(def.def_id()) { |
| self.get(node_id) |
| } else { |
| Some(AccessLevel::Public) |
| } |
| } |
| } |
| } else { |
| Some(AccessLevel::Public) |
| } |
| } |
| |
| fn trait_level(&self, trait_ref: &hir::TraitRef) -> Option<AccessLevel> { |
| let did = self.tcx.expect_def(trait_ref.ref_id).def_id(); |
| if let Some(node_id) = self.tcx.map.as_local_node_id(did) { |
| self.get(node_id) |
| } else { |
| Some(AccessLevel::Public) |
| } |
| } |
| |
| fn get(&self, id: ast::NodeId) -> Option<AccessLevel> { |
| self.access_levels.map.get(&id).cloned() |
| } |
| |
| // Updates node level and returns the updated level |
| fn update(&mut self, id: ast::NodeId, level: Option<AccessLevel>) -> Option<AccessLevel> { |
| let old_level = self.get(id); |
| // Accessibility levels can only grow |
| if level > old_level { |
| self.access_levels.map.insert(id, level.unwrap()); |
| self.changed = true; |
| level |
| } else { |
| old_level |
| } |
| } |
| |
| fn reach<'b>(&'b mut self) -> ReachEverythingInTheInterfaceVisitor<'b, 'a, 'tcx> { |
| ReachEverythingInTheInterfaceVisitor { ev: self } |
| } |
| } |
| |
| impl<'a, 'tcx, 'v> Visitor<'v> for EmbargoVisitor<'a, 'tcx> { |
| /// We want to visit items in the context of their containing |
| /// module and so forth, so supply a crate for doing a deep walk. |
| fn visit_nested_item(&mut self, item: hir::ItemId) { |
| let tcx = self.tcx; |
| self.visit_item(tcx.map.expect_item(item.id)) |
| } |
| |
| fn visit_item(&mut self, item: &hir::Item) { |
| let inherited_item_level = match item.node { |
| // Impls inherit level from their types and traits |
| hir::ItemImpl(_, _, _, None, ref ty, _) => { |
| self.ty_level(&ty) |
| } |
| hir::ItemImpl(_, _, _, Some(ref trait_ref), ref ty, _) => { |
| cmp::min(self.ty_level(&ty), self.trait_level(trait_ref)) |
| } |
| hir::ItemDefaultImpl(_, ref trait_ref) => { |
| self.trait_level(trait_ref) |
| } |
| // Foreign mods inherit level from parents |
| hir::ItemForeignMod(..) => { |
| self.prev_level |
| } |
| // Other `pub` items inherit levels from parents |
| _ => { |
| if item.vis == hir::Public { self.prev_level } else { None } |
| } |
| }; |
| |
| // Update level of the item itself |
| let item_level = self.update(item.id, inherited_item_level); |
| |
| // Update levels of nested things |
| match item.node { |
| hir::ItemEnum(ref def, _) => { |
| for variant in &def.variants { |
| let variant_level = self.update(variant.node.data.id(), item_level); |
| for field in variant.node.data.fields() { |
| self.update(field.id, variant_level); |
| } |
| } |
| } |
| hir::ItemImpl(_, _, _, None, _, ref impl_items) => { |
| for impl_item in impl_items { |
| if impl_item.vis == hir::Public { |
| self.update(impl_item.id, item_level); |
| } |
| } |
| } |
| hir::ItemImpl(_, _, _, Some(_), _, ref impl_items) => { |
| for impl_item in impl_items { |
| self.update(impl_item.id, item_level); |
| } |
| } |
| hir::ItemTrait(_, _, _, ref trait_items) => { |
| for trait_item in trait_items { |
| self.update(trait_item.id, item_level); |
| } |
| } |
| hir::ItemStruct(ref def, _) => { |
| if !def.is_struct() { |
| self.update(def.id(), item_level); |
| } |
| for field in def.fields() { |
| if field.vis == hir::Public { |
| self.update(field.id, item_level); |
| } |
| } |
| } |
| hir::ItemForeignMod(ref foreign_mod) => { |
| for foreign_item in &foreign_mod.items { |
| if foreign_item.vis == hir::Public { |
| self.update(foreign_item.id, item_level); |
| } |
| } |
| } |
| _ => {} |
| } |
| |
| // Mark all items in interfaces of reachable items as reachable |
| match item.node { |
| // The interface is empty |
| hir::ItemExternCrate(..) => {} |
| // All nested items are checked by visit_item |
| hir::ItemMod(..) => {} |
| // Reexports are handled in visit_mod |
| hir::ItemUse(..) => {} |
| // Visit everything |
| hir::ItemConst(..) | hir::ItemStatic(..) | hir::ItemFn(..) | |
| hir::ItemTrait(..) | hir::ItemTy(..) | hir::ItemImpl(_, _, _, Some(..), _, _) => { |
| if item_level.is_some() { |
| self.reach().visit_item(item); |
| } |
| } |
| // Visit everything, but enum variants have their own levels |
| hir::ItemEnum(ref def, ref generics) => { |
| if item_level.is_some() { |
| self.reach().visit_generics(generics); |
| } |
| for variant in &def.variants { |
| if self.get(variant.node.data.id()).is_some() { |
| for field in variant.node.data.fields() { |
| self.reach().visit_struct_field(field); |
| } |
| // Corner case: if the variant is reachable, but its |
| // enum is not, make the enum reachable as well. |
| self.update(item.id, Some(AccessLevel::Reachable)); |
| } |
| } |
| } |
| // Visit everything, but foreign items have their own levels |
| hir::ItemForeignMod(ref foreign_mod) => { |
| for foreign_item in &foreign_mod.items { |
| if self.get(foreign_item.id).is_some() { |
| self.reach().visit_foreign_item(foreign_item); |
| } |
| } |
| } |
| // Visit everything except for private fields |
| hir::ItemStruct(ref struct_def, ref generics) => { |
| if item_level.is_some() { |
| self.reach().visit_generics(generics); |
| for field in struct_def.fields() { |
| if self.get(field.id).is_some() { |
| self.reach().visit_struct_field(field); |
| } |
| } |
| } |
| } |
| // The interface is empty |
| hir::ItemDefaultImpl(..) => {} |
| // Visit everything except for private impl items |
| hir::ItemImpl(_, _, ref generics, None, _, ref impl_items) => { |
| if item_level.is_some() { |
| self.reach().visit_generics(generics); |
| for impl_item in impl_items { |
| if self.get(impl_item.id).is_some() { |
| self.reach().visit_impl_item(impl_item); |
| } |
| } |
| } |
| } |
| } |
| |
| let orig_level = self.prev_level; |
| self.prev_level = item_level; |
| |
| intravisit::walk_item(self, item); |
| |
| self.prev_level = orig_level; |
| } |
| |
| fn visit_block(&mut self, b: &'v hir::Block) { |
| let orig_level = replace(&mut self.prev_level, None); |
| |
| // Blocks can have public items, for example impls, but they always |
| // start as completely private regardless of publicity of a function, |
| // constant, type, field, etc. in which this block resides |
| intravisit::walk_block(self, b); |
| |
| self.prev_level = orig_level; |
| } |
| |
| fn visit_mod(&mut self, m: &hir::Mod, _sp: Span, id: ast::NodeId) { |
| // This code is here instead of in visit_item so that the |
| // crate module gets processed as well. |
| if self.prev_level.is_some() { |
| if let Some(exports) = self.export_map.get(&id) { |
| for export in exports { |
| if let Some(node_id) = self.tcx.map.as_local_node_id(export.def_id) { |
| self.update(node_id, Some(AccessLevel::Exported)); |
| } |
| } |
| } |
| } |
| |
| intravisit::walk_mod(self, m); |
| } |
| |
| fn visit_macro_def(&mut self, md: &'v hir::MacroDef) { |
| self.update(md.id, Some(AccessLevel::Public)); |
| } |
| } |
| |
| impl<'b, 'a, 'tcx: 'a> ReachEverythingInTheInterfaceVisitor<'b, 'a, 'tcx> { |
| // Make the type hidden under a type alias reachable |
| fn reach_aliased_type(&mut self, item: &hir::Item, path: &hir::Path) { |
| if let hir::ItemTy(ref ty, ref generics) = item.node { |
| // See `fn is_public_type_alias` for details |
| self.visit_ty(ty); |
| let provided_params = path.segments.last().unwrap().parameters.types().len(); |
| for ty_param in &generics.ty_params[provided_params..] { |
| if let Some(ref default_ty) = ty_param.default { |
| self.visit_ty(default_ty); |
| } |
| } |
| } |
| } |
| } |
| |
| impl<'b, 'a, 'tcx: 'a, 'v> Visitor<'v> for ReachEverythingInTheInterfaceVisitor<'b, 'a, 'tcx> { |
| fn visit_ty(&mut self, ty: &hir::Ty) { |
| if let hir::TyPath(_, ref path) = ty.node { |
| let def = self.ev.tcx.expect_def(ty.id); |
| match def { |
| Def::Struct(def_id) | Def::Enum(def_id) | Def::TyAlias(def_id) | |
| Def::Trait(def_id) | Def::AssociatedTy(def_id, _) => { |
| if let Some(node_id) = self.ev.tcx.map.as_local_node_id(def_id) { |
| let item = self.ev.tcx.map.expect_item(node_id); |
| if let Def::TyAlias(..) = def { |
| // Type aliases are substituted. Associated type aliases are not |
| // substituted yet, but ideally they should be. |
| if self.ev.get(item.id).is_none() { |
| self.reach_aliased_type(item, path); |
| } |
| } else { |
| self.ev.update(item.id, Some(AccessLevel::Reachable)); |
| } |
| } |
| } |
| |
| _ => {} |
| } |
| } |
| |
| intravisit::walk_ty(self, ty); |
| } |
| |
| fn visit_trait_ref(&mut self, trait_ref: &hir::TraitRef) { |
| let def_id = self.ev.tcx.expect_def(trait_ref.ref_id).def_id(); |
| if let Some(node_id) = self.ev.tcx.map.as_local_node_id(def_id) { |
| let item = self.ev.tcx.map.expect_item(node_id); |
| self.ev.update(item.id, Some(AccessLevel::Reachable)); |
| } |
| |
| intravisit::walk_trait_ref(self, trait_ref); |
| } |
| |
| // Don't recurse into function bodies |
| fn visit_block(&mut self, _: &hir::Block) {} |
| // Don't recurse into expressions in array sizes or const initializers |
| fn visit_expr(&mut self, _: &hir::Expr) {} |
| // Don't recurse into patterns in function arguments |
| fn visit_pat(&mut self, _: &hir::Pat) {} |
| } |
| |
| //////////////////////////////////////////////////////////////////////////////// |
| /// The privacy visitor, where privacy checks take place (violations reported) |
| //////////////////////////////////////////////////////////////////////////////// |
| |
| struct PrivacyVisitor<'a, 'tcx: 'a> { |
| tcx: TyCtxt<'a, 'tcx, 'tcx>, |
| curitem: ast::NodeId, |
| in_foreign: bool, |
| } |
| |
| impl<'a, 'tcx> PrivacyVisitor<'a, 'tcx> { |
| fn item_is_accessible(&self, did: DefId) -> bool { |
| match self.tcx.map.as_local_node_id(did) { |
| Some(node_id) => |
| ty::Visibility::from_hir(&self.tcx.map.expect_item(node_id).vis, node_id, self.tcx), |
| None => self.tcx.sess.cstore.visibility(did), |
| }.is_accessible_from(self.curitem, &self.tcx.map) |
| } |
| |
| // Checks that a field is in scope. |
| fn check_field(&mut self, span: Span, def: ty::AdtDef<'tcx>, field: ty::FieldDef<'tcx>) { |
| if def.adt_kind() == ty::AdtKind::Struct && |
| !field.vis.is_accessible_from(self.curitem, &self.tcx.map) { |
| span_err!(self.tcx.sess, span, E0451, "field `{}` of struct `{}` is private", |
| field.name, self.tcx.item_path_str(def.did)); |
| } |
| } |
| |
| // Checks that a method is in scope. |
| fn check_method(&mut self, span: Span, method_def_id: DefId) { |
| match self.tcx.impl_or_trait_item(method_def_id).container() { |
| // Trait methods are always all public. The only controlling factor |
| // is whether the trait itself is accessible or not. |
| ty::TraitContainer(trait_def_id) if !self.item_is_accessible(trait_def_id) => { |
| let msg = format!("source trait `{}` is private", |
| self.tcx.item_path_str(trait_def_id)); |
| self.tcx.sess.span_err(span, &msg); |
| } |
| _ => {} |
| } |
| } |
| } |
| |
| impl<'a, 'tcx, 'v> Visitor<'v> for PrivacyVisitor<'a, 'tcx> { |
| /// We want to visit items in the context of their containing |
| /// module and so forth, so supply a crate for doing a deep walk. |
| fn visit_nested_item(&mut self, item: hir::ItemId) { |
| let tcx = self.tcx; |
| self.visit_item(tcx.map.expect_item(item.id)) |
| } |
| |
| fn visit_item(&mut self, item: &hir::Item) { |
| let orig_curitem = replace(&mut self.curitem, item.id); |
| intravisit::walk_item(self, item); |
| self.curitem = orig_curitem; |
| } |
| |
| fn visit_expr(&mut self, expr: &hir::Expr) { |
| match expr.node { |
| hir::ExprMethodCall(..) => { |
| let method_call = ty::MethodCall::expr(expr.id); |
| let method = self.tcx.tables.borrow().method_map[&method_call]; |
| self.check_method(expr.span, method.def_id); |
| } |
| hir::ExprStruct(..) => { |
| let adt = self.tcx.expr_ty(expr).ty_adt_def().unwrap(); |
| let variant = adt.variant_of_def(self.tcx.expect_def(expr.id)); |
| // RFC 736: ensure all unmentioned fields are visible. |
| // Rather than computing the set of unmentioned fields |
| // (i.e. `all_fields - fields`), just check them all. |
| for field in &variant.fields { |
| self.check_field(expr.span, adt, field); |
| } |
| } |
| hir::ExprPath(..) => { |
| if let Def::Struct(..) = self.tcx.expect_def(expr.id) { |
| let expr_ty = self.tcx.expr_ty(expr); |
| let def = match expr_ty.sty { |
| ty::TyFnDef(_, _, &ty::BareFnTy { sig: ty::Binder(ty::FnSig { |
| output: ty::FnConverging(ty), .. |
| }), ..}) => ty, |
| _ => expr_ty |
| }.ty_adt_def().unwrap(); |
| let any_priv = def.struct_variant().fields.iter().any(|f| { |
| !f.vis.is_accessible_from(self.curitem, &self.tcx.map) |
| }); |
| if any_priv { |
| span_err!(self.tcx.sess, expr.span, E0450, |
| "cannot invoke tuple struct constructor with private \ |
| fields"); |
| } |
| } |
| } |
| _ => {} |
| } |
| |
| intravisit::walk_expr(self, expr); |
| } |
| |
| fn visit_pat(&mut self, pattern: &hir::Pat) { |
| // Foreign functions do not have their patterns mapped in the def_map, |
| // and there's nothing really relevant there anyway, so don't bother |
| // checking privacy. If you can name the type then you can pass it to an |
| // external C function anyway. |
| if self.in_foreign { return } |
| |
| match pattern.node { |
| PatKind::Struct(_, ref fields, _) => { |
| let adt = self.tcx.pat_ty(pattern).ty_adt_def().unwrap(); |
| let variant = adt.variant_of_def(self.tcx.expect_def(pattern.id)); |
| for field in fields { |
| self.check_field(pattern.span, adt, variant.field_named(field.node.name)); |
| } |
| } |
| PatKind::TupleStruct(_, ref fields, ddpos) => { |
| match self.tcx.pat_ty(pattern).sty { |
| ty::TyStruct(def, _) => { |
| let expected_len = def.struct_variant().fields.len(); |
| for (i, field) in fields.iter().enumerate_and_adjust(expected_len, ddpos) { |
| if let PatKind::Wild = field.node { |
| continue |
| } |
| self.check_field(field.span, def, &def.struct_variant().fields[i]); |
| } |
| } |
| ty::TyEnum(..) => { |
| // enum fields have no privacy at this time |
| } |
| _ => {} |
| } |
| } |
| _ => {} |
| } |
| |
| intravisit::walk_pat(self, pattern); |
| } |
| |
| fn visit_foreign_item(&mut self, fi: &hir::ForeignItem) { |
| self.in_foreign = true; |
| intravisit::walk_foreign_item(self, fi); |
| self.in_foreign = false; |
| } |
| } |
| |
| /////////////////////////////////////////////////////////////////////////////// |
| /// Obsolete visitors for checking for private items in public interfaces. |
| /// These visitors are supposed to be kept in frozen state and produce an |
| /// "old error node set". For backward compatibility the new visitor reports |
| /// warnings instead of hard errors when the erroneous node is not in this old set. |
| /////////////////////////////////////////////////////////////////////////////// |
| |
| struct ObsoleteVisiblePrivateTypesVisitor<'a, 'tcx: 'a> { |
| tcx: TyCtxt<'a, 'tcx, 'tcx>, |
| access_levels: &'a AccessLevels, |
| in_variant: bool, |
| // set of errors produced by this obsolete visitor |
| old_error_set: NodeSet, |
| } |
| |
| struct ObsoleteCheckTypeForPrivatenessVisitor<'a, 'b: 'a, 'tcx: 'b> { |
| inner: &'a ObsoleteVisiblePrivateTypesVisitor<'b, 'tcx>, |
| /// whether the type refers to private types. |
| contains_private: bool, |
| /// whether we've recurred at all (i.e. if we're pointing at the |
| /// first type on which visit_ty was called). |
| at_outer_type: bool, |
| // whether that first type is a public path. |
| outer_type_is_public_path: bool, |
| } |
| |
| impl<'a, 'tcx> ObsoleteVisiblePrivateTypesVisitor<'a, 'tcx> { |
| fn path_is_private_type(&self, path_id: ast::NodeId) -> bool { |
| let did = match self.tcx.expect_def(path_id) { |
| Def::PrimTy(..) | Def::SelfTy(..) => return false, |
| def => def.def_id(), |
| }; |
| |
| // A path can only be private if: |
| // it's in this crate... |
| if let Some(node_id) = self.tcx.map.as_local_node_id(did) { |
| // .. and it corresponds to a private type in the AST (this returns |
| // None for type parameters) |
| match self.tcx.map.find(node_id) { |
| Some(hir::map::NodeItem(ref item)) => item.vis != hir::Public, |
| Some(_) | None => false, |
| } |
| } else { |
| return false |
| } |
| } |
| |
| fn trait_is_public(&self, trait_id: ast::NodeId) -> bool { |
| // FIXME: this would preferably be using `exported_items`, but all |
| // traits are exported currently (see `EmbargoVisitor.exported_trait`) |
| self.access_levels.is_public(trait_id) |
| } |
| |
| fn check_ty_param_bound(&mut self, |
| ty_param_bound: &hir::TyParamBound) { |
| if let hir::TraitTyParamBound(ref trait_ref, _) = *ty_param_bound { |
| if self.path_is_private_type(trait_ref.trait_ref.ref_id) { |
| self.old_error_set.insert(trait_ref.trait_ref.ref_id); |
| } |
| } |
| } |
| |
| fn item_is_public(&self, id: &ast::NodeId, vis: &hir::Visibility) -> bool { |
| self.access_levels.is_reachable(*id) || *vis == hir::Public |
| } |
| } |
| |
| impl<'a, 'b, 'tcx, 'v> Visitor<'v> for ObsoleteCheckTypeForPrivatenessVisitor<'a, 'b, 'tcx> { |
| fn visit_ty(&mut self, ty: &hir::Ty) { |
| if let hir::TyPath(..) = ty.node { |
| if self.inner.path_is_private_type(ty.id) { |
| self.contains_private = true; |
| // found what we're looking for so let's stop |
| // working. |
| return |
| } else if self.at_outer_type { |
| self.outer_type_is_public_path = true; |
| } |
| } |
| self.at_outer_type = false; |
| intravisit::walk_ty(self, ty) |
| } |
| |
| // don't want to recurse into [, .. expr] |
| fn visit_expr(&mut self, _: &hir::Expr) {} |
| } |
| |
| impl<'a, 'tcx, 'v> Visitor<'v> for ObsoleteVisiblePrivateTypesVisitor<'a, 'tcx> { |
| /// We want to visit items in the context of their containing |
| /// module and so forth, so supply a crate for doing a deep walk. |
| fn visit_nested_item(&mut self, item: hir::ItemId) { |
| let tcx = self.tcx; |
| self.visit_item(tcx.map.expect_item(item.id)) |
| } |
| |
| fn visit_item(&mut self, item: &hir::Item) { |
| match item.node { |
| // contents of a private mod can be reexported, so we need |
| // to check internals. |
| hir::ItemMod(_) => {} |
| |
| // An `extern {}` doesn't introduce a new privacy |
| // namespace (the contents have their own privacies). |
| hir::ItemForeignMod(_) => {} |
| |
| hir::ItemTrait(_, _, ref bounds, _) => { |
| if !self.trait_is_public(item.id) { |
| return |
| } |
| |
| for bound in bounds.iter() { |
| self.check_ty_param_bound(bound) |
| } |
| } |
| |
| // impls need some special handling to try to offer useful |
| // error messages without (too many) false positives |
| // (i.e. we could just return here to not check them at |
| // all, or some worse estimation of whether an impl is |
| // publicly visible). |
| hir::ItemImpl(_, _, ref g, ref trait_ref, ref self_, ref impl_items) => { |
| // `impl [... for] Private` is never visible. |
| let self_contains_private; |
| // impl [... for] Public<...>, but not `impl [... for] |
| // Vec<Public>` or `(Public,)` etc. |
| let self_is_public_path; |
| |
| // check the properties of the Self type: |
| { |
| let mut visitor = ObsoleteCheckTypeForPrivatenessVisitor { |
| inner: self, |
| contains_private: false, |
| at_outer_type: true, |
| outer_type_is_public_path: false, |
| }; |
| visitor.visit_ty(&self_); |
| self_contains_private = visitor.contains_private; |
| self_is_public_path = visitor.outer_type_is_public_path; |
| } |
| |
| // miscellaneous info about the impl |
| |
| // `true` iff this is `impl Private for ...`. |
| let not_private_trait = |
| trait_ref.as_ref().map_or(true, // no trait counts as public trait |
| |tr| { |
| let did = self.tcx.expect_def(tr.ref_id).def_id(); |
| |
| if let Some(node_id) = self.tcx.map.as_local_node_id(did) { |
| self.trait_is_public(node_id) |
| } else { |
| true // external traits must be public |
| } |
| }); |
| |
| // `true` iff this is a trait impl or at least one method is public. |
| // |
| // `impl Public { $( fn ...() {} )* }` is not visible. |
| // |
| // This is required over just using the methods' privacy |
| // directly because we might have `impl<T: Foo<Private>> ...`, |
| // and we shouldn't warn about the generics if all the methods |
| // are private (because `T` won't be visible externally). |
| let trait_or_some_public_method = |
| trait_ref.is_some() || |
| impl_items.iter() |
| .any(|impl_item| { |
| match impl_item.node { |
| hir::ImplItemKind::Const(..) | |
| hir::ImplItemKind::Method(..) => { |
| self.access_levels.is_reachable(impl_item.id) |
| } |
| hir::ImplItemKind::Type(_) => false, |
| } |
| }); |
| |
| if !self_contains_private && |
| not_private_trait && |
| trait_or_some_public_method { |
| |
| intravisit::walk_generics(self, g); |
| |
| match *trait_ref { |
| None => { |
| for impl_item in impl_items { |
| // This is where we choose whether to walk down |
| // further into the impl to check its items. We |
| // should only walk into public items so that we |
| // don't erroneously report errors for private |
| // types in private items. |
| match impl_item.node { |
| hir::ImplItemKind::Const(..) | |
| hir::ImplItemKind::Method(..) |
| if self.item_is_public(&impl_item.id, &impl_item.vis) => |
| { |
| intravisit::walk_impl_item(self, impl_item) |
| } |
| hir::ImplItemKind::Type(..) => { |
| intravisit::walk_impl_item(self, impl_item) |
| } |
| _ => {} |
| } |
| } |
| } |
| Some(ref tr) => { |
| // Any private types in a trait impl fall into three |
| // categories. |
| // 1. mentioned in the trait definition |
| // 2. mentioned in the type params/generics |
| // 3. mentioned in the associated types of the impl |
| // |
| // Those in 1. can only occur if the trait is in |
| // this crate and will've been warned about on the |
| // trait definition (there's no need to warn twice |
| // so we don't check the methods). |
| // |
| // Those in 2. are warned via walk_generics and this |
| // call here. |
| intravisit::walk_path(self, &tr.path); |
| |
| // Those in 3. are warned with this call. |
| for impl_item in impl_items { |
| if let hir::ImplItemKind::Type(ref ty) = impl_item.node { |
| self.visit_ty(ty); |
| } |
| } |
| } |
| } |
| } else if trait_ref.is_none() && self_is_public_path { |
| // impl Public<Private> { ... }. Any public static |
| // methods will be visible as `Public::foo`. |
| let mut found_pub_static = false; |
| for impl_item in impl_items { |
| match impl_item.node { |
| hir::ImplItemKind::Const(..) => { |
| if self.item_is_public(&impl_item.id, &impl_item.vis) { |
| found_pub_static = true; |
| intravisit::walk_impl_item(self, impl_item); |
| } |
| } |
| hir::ImplItemKind::Method(ref sig, _) => { |
| if !sig.decl.has_self() && |
| self.item_is_public(&impl_item.id, &impl_item.vis) { |
| found_pub_static = true; |
| intravisit::walk_impl_item(self, impl_item); |
| } |
| } |
| _ => {} |
| } |
| } |
| if found_pub_static { |
| intravisit::walk_generics(self, g) |
| } |
| } |
| return |
| } |
| |
| // `type ... = ...;` can contain private types, because |
| // we're introducing a new name. |
| hir::ItemTy(..) => return, |
| |
| // not at all public, so we don't care |
| _ if !self.item_is_public(&item.id, &item.vis) => { |
| return; |
| } |
| |
| _ => {} |
| } |
| |
| // We've carefully constructed it so that if we're here, then |
| // any `visit_ty`'s will be called on things that are in |
| // public signatures, i.e. things that we're interested in for |
| // this visitor. |
| intravisit::walk_item(self, item); |
| } |
| |
| fn visit_generics(&mut self, generics: &hir::Generics) { |
| for ty_param in generics.ty_params.iter() { |
| for bound in ty_param.bounds.iter() { |
| self.check_ty_param_bound(bound) |
| } |
| } |
| for predicate in &generics.where_clause.predicates { |
| match predicate { |
| &hir::WherePredicate::BoundPredicate(ref bound_pred) => { |
| for bound in bound_pred.bounds.iter() { |
| self.check_ty_param_bound(bound) |
| } |
| } |
| &hir::WherePredicate::RegionPredicate(_) => {} |
| &hir::WherePredicate::EqPredicate(ref eq_pred) => { |
| self.visit_ty(&eq_pred.ty); |
| } |
| } |
| } |
| } |
| |
| fn visit_foreign_item(&mut self, item: &hir::ForeignItem) { |
| if self.access_levels.is_reachable(item.id) { |
| intravisit::walk_foreign_item(self, item) |
| } |
| } |
| |
| fn visit_ty(&mut self, t: &hir::Ty) { |
| if let hir::TyPath(..) = t.node { |
| if self.path_is_private_type(t.id) { |
| self.old_error_set.insert(t.id); |
| } |
| } |
| intravisit::walk_ty(self, t) |
| } |
| |
| fn visit_variant(&mut self, v: &hir::Variant, g: &hir::Generics, item_id: ast::NodeId) { |
| if self.access_levels.is_reachable(v.node.data.id()) { |
| self.in_variant = true; |
| intravisit::walk_variant(self, v, g, item_id); |
| self.in_variant = false; |
| } |
| } |
| |
| fn visit_struct_field(&mut self, s: &hir::StructField) { |
| if s.vis == hir::Public || self.in_variant { |
| intravisit::walk_struct_field(self, s); |
| } |
| } |
| |
| // we don't need to introspect into these at all: an |
| // expression/block context can't possibly contain exported things. |
| // (Making them no-ops stops us from traversing the whole AST without |
| // having to be super careful about our `walk_...` calls above.) |
| // FIXME(#29524): Unfortunately this ^^^ is not true, blocks can contain |
| // exported items (e.g. impls) and actual code in rustc itself breaks |
| // if we don't traverse blocks in `EmbargoVisitor` |
| fn visit_block(&mut self, _: &hir::Block) {} |
| fn visit_expr(&mut self, _: &hir::Expr) {} |
| } |
| |
| /////////////////////////////////////////////////////////////////////////////// |
| /// SearchInterfaceForPrivateItemsVisitor traverses an item's interface and |
| /// finds any private components in it. |
| /// PrivateItemsInPublicInterfacesVisitor ensures there are no private types |
| /// and traits in public interfaces. |
| /////////////////////////////////////////////////////////////////////////////// |
| |
| struct SearchInterfaceForPrivateItemsVisitor<'a, 'tcx: 'a> { |
| tcx: TyCtxt<'a, 'tcx, 'tcx>, |
| /// The visitor checks that each component type is at least this visible |
| required_visibility: ty::Visibility, |
| /// The visibility of the least visible component that has been visited |
| min_visibility: ty::Visibility, |
| old_error_set: &'a NodeSet, |
| } |
| |
| impl<'a, 'tcx: 'a> SearchInterfaceForPrivateItemsVisitor<'a, 'tcx> { |
| fn new(tcx: TyCtxt<'a, 'tcx, 'tcx>, old_error_set: &'a NodeSet) -> Self { |
| SearchInterfaceForPrivateItemsVisitor { |
| tcx: tcx, |
| min_visibility: ty::Visibility::Public, |
| required_visibility: ty::Visibility::PrivateExternal, |
| old_error_set: old_error_set, |
| } |
| } |
| } |
| |
| impl<'a, 'tcx: 'a> SearchInterfaceForPrivateItemsVisitor<'a, 'tcx> { |
| // Return the visibility of the type alias's least visible component type when substituted |
| fn substituted_alias_visibility(&self, item: &hir::Item, path: &hir::Path) |
| -> Option<ty::Visibility> { |
| // We substitute type aliases only when determining impl publicity |
| // FIXME: This will probably change and all type aliases will be substituted, |
| // requires an amendment to RFC 136. |
| if self.required_visibility != ty::Visibility::PrivateExternal { |
| return None; |
| } |
| // Type alias is considered public if the aliased type is |
| // public, even if the type alias itself is private. So, something |
| // like `type A = u8; pub fn f() -> A {...}` doesn't cause an error. |
| if let hir::ItemTy(ref ty, ref generics) = item.node { |
| let mut check = SearchInterfaceForPrivateItemsVisitor { |
| min_visibility: ty::Visibility::Public, ..*self |
| }; |
| check.visit_ty(ty); |
| // If a private type alias with default type parameters is used in public |
| // interface we must ensure, that the defaults are public if they are actually used. |
| // ``` |
| // type Alias<T = Private> = T; |
| // pub fn f() -> Alias {...} // `Private` is implicitly used here, so it must be public |
| // ``` |
| let provided_params = path.segments.last().unwrap().parameters.types().len(); |
| for ty_param in &generics.ty_params[provided_params..] { |
| if let Some(ref default_ty) = ty_param.default { |
| check.visit_ty(default_ty); |
| } |
| } |
| Some(check.min_visibility) |
| } else { |
| None |
| } |
| } |
| } |
| |
| impl<'a, 'tcx: 'a, 'v> Visitor<'v> for SearchInterfaceForPrivateItemsVisitor<'a, 'tcx> { |
| fn visit_ty(&mut self, ty: &hir::Ty) { |
| if let hir::TyPath(_, ref path) = ty.node { |
| match self.tcx.expect_def(ty.id) { |
| Def::PrimTy(..) | Def::SelfTy(..) | Def::TyParam(..) => { |
| // Public |
| } |
| Def::AssociatedTy(..) |
| if self.required_visibility == ty::Visibility::PrivateExternal => { |
| // Conservatively approximate the whole type alias as public without |
| // recursing into its components when determining impl publicity. |
| // For example, `impl <Type as Trait>::Alias {...}` may be a public impl |
| // even if both `Type` and `Trait` are private. |
| // Ideally, associated types should be substituted in the same way as |
| // free type aliases, but this isn't done yet. |
| return |
| } |
| Def::Struct(def_id) | Def::Enum(def_id) | Def::TyAlias(def_id) | |
| Def::Trait(def_id) | Def::AssociatedTy(def_id, _) => { |
| // Non-local means public (private items can't leave their crate, modulo bugs) |
| if let Some(node_id) = self.tcx.map.as_local_node_id(def_id) { |
| let item = self.tcx.map.expect_item(node_id); |
| let vis = match self.substituted_alias_visibility(item, path) { |
| Some(vis) => vis, |
| None => ty::Visibility::from_hir(&item.vis, node_id, self.tcx), |
| }; |
| |
| if !vis.is_at_least(self.min_visibility, &self.tcx.map) { |
| self.min_visibility = vis; |
| } |
| if !vis.is_at_least(self.required_visibility, &self.tcx.map) { |
| if self.tcx.sess.features.borrow().pub_restricted || |
| self.old_error_set.contains(&ty.id) { |
| span_err!(self.tcx.sess, ty.span, E0446, |
| "private type in public interface"); |
| } else { |
| self.tcx.sess.add_lint(lint::builtin::PRIVATE_IN_PUBLIC, |
| node_id, |
| ty.span, |
| format!("private type in public interface")); |
| } |
| } |
| } |
| } |
| _ => {} |
| } |
| } |
| |
| intravisit::walk_ty(self, ty); |
| } |
| |
| fn visit_trait_ref(&mut self, trait_ref: &hir::TraitRef) { |
| // Non-local means public (private items can't leave their crate, modulo bugs) |
| let def_id = self.tcx.expect_def(trait_ref.ref_id).def_id(); |
| if let Some(node_id) = self.tcx.map.as_local_node_id(def_id) { |
| let item = self.tcx.map.expect_item(node_id); |
| let vis = ty::Visibility::from_hir(&item.vis, node_id, self.tcx); |
| |
| if !vis.is_at_least(self.min_visibility, &self.tcx.map) { |
| self.min_visibility = vis; |
| } |
| if !vis.is_at_least(self.required_visibility, &self.tcx.map) { |
| if self.tcx.sess.features.borrow().pub_restricted || |
| self.old_error_set.contains(&trait_ref.ref_id) { |
| span_err!(self.tcx.sess, trait_ref.path.span, E0445, |
| "private trait in public interface"); |
| } else { |
| self.tcx.sess.add_lint(lint::builtin::PRIVATE_IN_PUBLIC, |
| node_id, |
| trait_ref.path.span, |
| "private trait in public interface (error E0445)" |
| .to_string()); |
| } |
| } |
| } |
| |
| intravisit::walk_trait_ref(self, trait_ref); |
| } |
| |
| // Don't recurse into function bodies |
| fn visit_block(&mut self, _: &hir::Block) {} |
| // Don't recurse into expressions in array sizes or const initializers |
| fn visit_expr(&mut self, _: &hir::Expr) {} |
| // Don't recurse into patterns in function arguments |
| fn visit_pat(&mut self, _: &hir::Pat) {} |
| } |
| |
| struct PrivateItemsInPublicInterfacesVisitor<'a, 'tcx: 'a> { |
| tcx: TyCtxt<'a, 'tcx, 'tcx>, |
| old_error_set: &'a NodeSet, |
| } |
| |
| impl<'a, 'tcx> PrivateItemsInPublicInterfacesVisitor<'a, 'tcx> { |
| // A type is considered public if it doesn't contain any private components |
| fn ty_visibility(&self, ty: &hir::Ty) -> ty::Visibility { |
| let mut check = SearchInterfaceForPrivateItemsVisitor::new(self.tcx, self.old_error_set); |
| check.visit_ty(ty); |
| check.min_visibility |
| } |
| |
| // A trait reference is considered public if it doesn't contain any private components |
| fn trait_ref_visibility(&self, trait_ref: &hir::TraitRef) -> ty::Visibility { |
| let mut check = SearchInterfaceForPrivateItemsVisitor::new(self.tcx, self.old_error_set); |
| check.visit_trait_ref(trait_ref); |
| check.min_visibility |
| } |
| } |
| |
| impl<'a, 'tcx, 'v> Visitor<'v> for PrivateItemsInPublicInterfacesVisitor<'a, 'tcx> { |
| fn visit_item(&mut self, item: &hir::Item) { |
| let min = |vis1: ty::Visibility, vis2| { |
| if vis1.is_at_least(vis2, &self.tcx.map) { vis2 } else { vis1 } |
| }; |
| |
| let mut check = SearchInterfaceForPrivateItemsVisitor::new(self.tcx, self.old_error_set); |
| let item_visibility = ty::Visibility::from_hir(&item.vis, item.id, self.tcx); |
| |
| match item.node { |
| // Crates are always public |
| hir::ItemExternCrate(..) => {} |
| // All nested items are checked by visit_item |
| hir::ItemMod(..) => {} |
| // Checked in resolve |
| hir::ItemUse(..) => {} |
| // Subitems of these items have inherited publicity |
| hir::ItemConst(..) | hir::ItemStatic(..) | hir::ItemFn(..) | |
| hir::ItemEnum(..) | hir::ItemTrait(..) | hir::ItemTy(..) => { |
| check.required_visibility = item_visibility; |
| check.visit_item(item); |
| } |
| // Subitems of foreign modules have their own publicity |
| hir::ItemForeignMod(ref foreign_mod) => { |
| for foreign_item in &foreign_mod.items { |
| check.required_visibility = |
| ty::Visibility::from_hir(&foreign_item.vis, item.id, self.tcx); |
| check.visit_foreign_item(foreign_item); |
| } |
| } |
| // Subitems of structs have their own publicity |
| hir::ItemStruct(ref struct_def, ref generics) => { |
| check.required_visibility = item_visibility; |
| check.visit_generics(generics); |
| |
| for field in struct_def.fields() { |
| let field_visibility = ty::Visibility::from_hir(&field.vis, item.id, self.tcx); |
| check.required_visibility = min(item_visibility, field_visibility); |
| check.visit_struct_field(field); |
| } |
| } |
| // The interface is empty |
| hir::ItemDefaultImpl(..) => {} |
| // An inherent impl is public when its type is public |
| // Subitems of inherent impls have their own publicity |
| hir::ItemImpl(_, _, ref generics, None, ref ty, ref impl_items) => { |
| let ty_vis = self.ty_visibility(ty); |
| check.required_visibility = ty_vis; |
| check.visit_generics(generics); |
| |
| for impl_item in impl_items { |
| let impl_item_vis = |
| ty::Visibility::from_hir(&impl_item.vis, item.id, self.tcx); |
| check.required_visibility = min(impl_item_vis, ty_vis); |
| check.visit_impl_item(impl_item); |
| } |
| } |
| // A trait impl is public when both its type and its trait are public |
| // Subitems of trait impls have inherited publicity |
| hir::ItemImpl(_, _, ref generics, Some(ref trait_ref), ref ty, ref impl_items) => { |
| let vis = min(self.ty_visibility(ty), self.trait_ref_visibility(trait_ref)); |
| check.required_visibility = vis; |
| check.visit_generics(generics); |
| for impl_item in impl_items { |
| check.visit_impl_item(impl_item); |
| } |
| } |
| } |
| } |
| } |
| |
| pub fn check_crate<'a, 'tcx>(tcx: TyCtxt<'a, 'tcx, 'tcx>, |
| export_map: &def::ExportMap) |
| -> AccessLevels { |
| let _task = tcx.dep_graph.in_task(DepNode::Privacy); |
| |
| let krate = tcx.map.krate(); |
| |
| // Use the parent map to check the privacy of everything |
| let mut visitor = PrivacyVisitor { |
| curitem: ast::DUMMY_NODE_ID, |
| in_foreign: false, |
| tcx: tcx, |
| }; |
| intravisit::walk_crate(&mut visitor, krate); |
| |
| tcx.sess.abort_if_errors(); |
| |
| // Build up a set of all exported items in the AST. This is a set of all |
| // items which are reachable from external crates based on visibility. |
| let mut visitor = EmbargoVisitor { |
| tcx: tcx, |
| export_map: export_map, |
| access_levels: Default::default(), |
| prev_level: Some(AccessLevel::Public), |
| changed: false, |
| }; |
| loop { |
| intravisit::walk_crate(&mut visitor, krate); |
| if visitor.changed { |
| visitor.changed = false; |
| } else { |
| break |
| } |
| } |
| visitor.update(ast::CRATE_NODE_ID, Some(AccessLevel::Public)); |
| |
| { |
| let mut visitor = ObsoleteVisiblePrivateTypesVisitor { |
| tcx: tcx, |
| access_levels: &visitor.access_levels, |
| in_variant: false, |
| old_error_set: NodeSet(), |
| }; |
| intravisit::walk_crate(&mut visitor, krate); |
| |
| // Check for private types and traits in public interfaces |
| let mut visitor = PrivateItemsInPublicInterfacesVisitor { |
| tcx: tcx, |
| old_error_set: &visitor.old_error_set, |
| }; |
| krate.visit_all_items(&mut visitor); |
| } |
| |
| visitor.access_levels |
| } |
| |
| __build_diagnostic_array! { librustc_privacy, DIAGNOSTICS } |