Skip to content

Unsoundness in next-solver when checking lifetime requirements for RPIT #155520

Open
Open
Unsoundness in next-solver when checking lifetime requirements for RPIT#155520
Labels
A-borrow-checkerArea: The borrow checkerA-impl-traitArea: `impl Trait`. Universally / existentially quantified anonymous types with static dispatch.A-implied-boundsArea: Implied bounds / inferred outlives-boundsA-trait-systemArea: Trait systemC-bugCategory: This is a bug.I-unsoundIssue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/SoundnessS-has-bisectionStatus: A bisection has been found for this issueS-has-mcveStatus: A Minimal Complete and Verifiable Example has been found for this issueT-typesRelevant to the types team, which will review and decide on the PR/issue.WG-trait-system-refactorThe Rustc Trait System Refactor Initiative (-Znext-solver)requires-nightlyThis issue requires a nightly compiler in some way. When possible, use a F-* label instead.
@maxdexh

Description

@maxdexh
maxdexh
opened on Apr 19, 2026

The following code results in a segfault when running with -Znext-solver:

trait Convert<T> {
    fn from(it: T) -> Self;
}
impl<'a, 'b: 'a, T> Convert<&'b T> for &'a T {
    fn from(it: &'b T) -> Self {
        it
    }
}

trait GatConvert: Sized {
    type Y<'a>: Convert<Self>
    where
        Self: 'a;

    fn into_y<'a>(self) -> Self::Y<'a>
    where
        Self: 'a,
    {
        Convert::from(self)
    }
}

type Target = Vec<Vec<u8>>;

impl<'b> GatConvert for &'b Target {
    type Y<'a>
        = &'a Target
    where
        Self: 'a;
}

fn wat<'a, T: GatConvert>(t: T) -> impl Sized + 'a {
    t.into_y::<'a>() // This should not compile!
}

fn leak<'a>(t: &'a Target) -> &'static Target {
    let ext = wat::<'static>(t);
    *(&ext as &dyn std::any::Any).downcast_ref().unwrap()
}

fn main() {
    let buf = leak(&vec![vec![1]]);
    dbg!(buf[0][0]);
}

rustc --version --verbose:

rustc 1.97.0-nightly (0febdbab2 2026-04-18)
binary: rustc
commit-hash: 0febdbab2720dc0360cd294c67db88d6d06580d4
commit-date: 2026-04-18
host: x86_64-unknown-linux-gnu
release: 1.97.0-nightly
LLVM version: 22.1.2
Pinned by theemathas
@maxdexhmaxdexhon Apr 20, 2026

The trait is not even necessary

fn into_y<T>(t: T) -> impl Sized
where
    T: 'static,
{
    t
}
fn wat<T>(t: T) -> impl Sized + 'static {
    into_y(t) // T: 'static is not checked
}
exploitation 
fn leak<T>(t: &T) -> &'static T {
    *(&wat(t) as &dyn std::any::Any).downcast_ref().unwrap()
}

fn main() {
    let buf = leak(&vec![vec![1]]);
    dbg!(buf[0][0]);
}

View full comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    A-borrow-checkerArea: The borrow checkerA-impl-traitArea: `impl Trait`. Universally / existentially quantified anonymous types with static dispatch.A-implied-boundsArea: Implied bounds / inferred outlives-boundsA-trait-systemArea: Trait systemC-bugCategory: This is a bug.I-unsoundIssue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/SoundnessS-has-bisectionStatus: A bisection has been found for this issueS-has-mcveStatus: A Minimal Complete and Verifiable Example has been found for this issueT-typesRelevant to the types team, which will review and decide on the PR/issue.WG-trait-system-refactorThe Rustc Trait System Refactor Initiative (-Znext-solver)requires-nightlyThis issue requires a nightly compiler in some way. When possible, use a F-* label instead.

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions