fix: Panic while canonicalizing erroneous projection type

[ShoyuVanilla]

Fixes #17866

The root cause of #17866 is quite horrifyng 😨

trait T {
    type A;
}

type Foo = <S as T>::A; // note that S isn't defined

fn main() {
    Foo {}
}

While inferencing alias type Foo = <S as T>::A;

rust-analyzer/crates/hir-ty/src/infer.rs

Lines 1388 to 1398 in 78c2bdc

	TypeNs::TypeAliasId(it) => {
	let resolved_seg = match unresolved {
	None => path.segments().last().unwrap(),
	Some(n) => path.segments().get(path.segments().len() - n - 1).unwrap(),
	};
	let substs =
	ctx.substs_from_path_segment(resolved_seg, Some(it.into()), true, None);
	let ty = self.db.ty(it.into());
	let ty = self.insert_type_vars(ty.substitute(Interner, &substs));
	self.resolve_variant_on_alias(ty, unresolved, mod_path)

the error type S in it is substituted by inference var in L1396 above as below;

rust-analyzer/crates/hir-ty/src/infer/unify.rs

Lines 866 to 869 in 78c2bdc

	/// Replaces `Ty::Error` by a new type var, so we can maybe still infer it.
	pub(super) fn insert_type_vars_shallow(&mut self, ty: Ty) -> Ty {
	match ty.kind(Interner) {
	TyKind::Error => self.new_type_var(),

This new inference var's index is 1, as the type inferecing procedure here previously inserted another inference var into same InferenceTable.

But after that, the projection type made from the above then passed to the following function;

rust-analyzer/crates/hir-ty/src/traits.rs

Lines 88 to 96 in 78c2bdc

	pub(crate) fn normalize_projection_query(
	db: &dyn HirDatabase,
	projection: ProjectionTy,
	env: Arc<TraitEnvironment>,
	) -> Ty {
	let mut table = InferenceTable::new(db, env);
	let ty = table.normalize_projection_ty(projection);
	table.resolve_completely(ty)
	}

here, a whole new InferenceTable is made, without any inference var and in the L94, this table calls;

rust-analyzer/crates/hir-ty/src/infer/unify.rs

Lines 364 to 370 in 78c2bdc

	pub(crate) fn normalize_projection_ty(&mut self, proj_ty: ProjectionTy) -> Ty {
	let var = self.new_type_var();
	let alias_eq = AliasEq { alias: AliasTy::Projection(proj_ty), ty: var.clone() };
	let obligation = alias_eq.cast(Interner);
	self.register_obligation(obligation);
	var
	}

And while registering AliasEq obligation, this obligation contains inference var ?1 made from the previous table, but this table has only one inference var ?0 made at L365.
So, the chalk panics when we try to canonicalize that obligation to register it, because the obligation contains an inference var ?1 that the canonicalizing table doesn't have.

Currently, we are calling InferenceTable::new() to do some normalizing, unifying or coercing things to some targets that might contain inference var that the new table doesn't have.
I think that this is quite dangerous footgun because the inference var is just an index that does not contain the information which table does it made from, so sometimes this "foreign" index might cause panic like this case, or point at the wrong variable.

This PR mitigates such behaviour simply by inserting sufficient number of inference vars to new table to avoid such problem.
This strategy doesn't harm current r-a's intention because the inference vars that passed into new tables are just "unresolved" variables in current r-a, so this is just making sure that such "unresolved" variables exist in the new table

[davidbarsky]

And while registering AliasEq obligation, this obligation contains inference var ?1 made from the previous table, but this table has only one inference var ?0 made at L365.
I think that this is quite dangerous footgun because the inference var is just an index that does not contain the information which table does it made from, so sometimes this "foreign" index might cause panic like this case, or point at the wrong variable.

I'm trying to remember their names, but there were a few arena crates whose keys tracked its creator's provenance. Do you think an approach like this would help here?

[ShoyuVanilla]

I'm trying to remember their names, but there were a few arena crates whose keys tracked its creator's provenance. Do you think an approach like this would help here?

I think that this PR is just a mitigation and what you said is the "correct" way to fix this, maybe.

[davidbarsky]

Yes, sorry! Lemme merge this. @bors r+

I'll make a new issue.

[bors]

📌 Commit 8bcaba1 has been approved by davidbarsky

It is now in the queue for this repository.

[bors]

⌛ Testing commit 8bcaba1 with merge 0bc8501...

[flodiebold]

normalize_projection_query is a Salsa query, so its input should really be canonicalized (i.e. it should take a Canonical<ProjectionTy>). Canonicalization replaces inference vars by bound vars in order of appearance, which has the two effects of 1. "freeing" the type of the inference table it came from, and 2. making types that are equal in structure actually equal (you don't care if you have Option<?2> or Option<?45>), which is important for proper caching of the query. Taking a Canonical also serves as a check that there are no inference variables in the type.

On the other side, apparently this normalize_projection query gets called during inference, which is probably the cause of this bug (the only other place it gets called is in hir). That code should rather be using table.normalize_projection_ty directly.

[flodiebold]

@bors r-

[davidbarsky]

@bors r-

Sorry about that!

[flodiebold]

A bit too slow in writing my comment 😅

[ShoyuVanilla]

Okay, I'll rethink about this tommorrow(it's past midnight here 😅)

[bors]

☀️ Try build successful - checks-actions
Build commit: 0bc8501 (0bc85018e9660cd35a81007ed8ca8b58587fab9e)

[flodiebold]

Currently, we are calling InferenceTable::new() to do some normalizing, unifying or coercing things to some targets that might contain inference var that the new table doesn't have.

Basically, a type that still contains inference vars "crossing over" to a new inference table is always a bug. Most of the places you changed already take a Canonical, so they should be fine; a few are only intended for use by hir or analysis after type-checking. For these a debug assertion that the type doesn't contain inference vars might be good.

[lnicola]

there were a few arena crates whose keys tracked its creator's provenance

It no longer matters, but I think they're called generational indexes or arenas.

[ShoyuVanilla]

normalize_projection_query is a Salsa query, so its input should really be canonicalized (i.e. it should take a Canonical). Canonicalization replaces inference vars by bound vars in order of appearance, which has the two effects of 1. "freeing" the type of the inference table it came from, and 2. making types that are equal in structure actually equal (you don't care if you have Option<?2> or Option<?45>), which is important for proper caching of the query. Taking a Canonical also serves as a check that there are no inference variables in the type.

On the other side, apparently this normalize_projection query gets called during inference, which is probably the cause of this bug (the only other place it gets called is in hir). That code should rather be using table.normalize_projection_ty directly.

I was too obssesed with the projection type containing ivs and learned a lot from your comments. Thanks 😄

[flodiebold]

@bors delegate+

[flodiebold]

resolve_completely is the wrong thing to use during inference since it applies fallback. I think this should just be resolve_ty_shallow

[flodiebold]

this could be a function has_inference_variables. Also, the flags in a Ty already store whether it contains any inference variable, so it could be easier to use that :)

[ShoyuVanilla]

@bors r+

[bors]

@ShoyuVanilla: 🔑 Insufficient privileges: Not in reviewers

[lnicola]

@bors r+

[bors]

📌 Commit e6d8970 has been approved by lnicola

It is now in the queue for this repository.

[bors]

⌛ Testing commit e6d8970 with merge 64a1405...

[bors]

☀️ Test successful - checks-actions
Approved by: lnicola
Pushing 64a1405 to master...