Rollup merge of #77663 - HeroicKatora:regression-tests-27675-object-safe, r=Aaron1011

Add compile fail test for issue 27675 A recently merged PR (#73905) strengthened the checks on bounds of associated items. This rejects the attack path of #27675 which consisted of constructing a `dyn Trait<Item=T>` where `T` would not fulfill the bounds required on `Item` of the `Trait` behind the dyn object. This regression test, extracted from [the weaponized instance](https://github.com/rust-lang/rust/issues/27675#issuecomment-696956878), checks that this is rejected.
2020-10-08 23:23:12 +02:00 · 2020-10-08 23:23:12 +02:00 · b1e856ad43
parent 7edb7e7ec0 ea206f2c5a
commit b1e856ad43
1 changed files with 19 additions and 0 deletions
--- a/src/test/compile-fail/issue-27675-unchecked-bounds.rs
+++ b/src/test/compile-fail/issue-27675-unchecked-bounds.rs
@ -0,0 +1,19 @@
+/// The compiler previously did not properly check the bound of `From` when it was used from type
+/// of the dyn trait object (use in `copy_any` below). Since the associated type is under user
+/// control in this usage, the compiler could be tricked to believe any type implemented any trait.
+/// This would ICE, except for pure marker traits like `Copy`. It did not require providing an
+/// instance of the dyn trait type, only name said type.
+trait Setup {
+    type From: Copy;
+}
+
+fn copy<U: Setup + ?Sized>(from: &U::From) -> U::From {
+    *from
+}
+
+pub fn copy_any<T>(t: &T) -> T {
+    copy::<dyn Setup<From=T>>(t)
+    //~^ ERROR the trait bound `T: Copy` is not satisfied
+}
+
+fn main() {}