Add IsAllowedMutable

Author: madsmtm

crates/objc2/CHANGELOG.md

@@ -10,6 +10,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 * Added the following traits to the `mutability` module (see the documentation
   for motivation and usage info):
   - `HasStableHash`.
+  - `IsAllowedMutable`.
   - `IsMainThreadOnly`.
   - `CounterpartOrSelf`.
 * Added new `encode` traits `EncodeReturn`, `EncodeArgument` and
@@ -57,6 +58,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ### Fixed
 * Fixed the name of the protocol that `NSObjectProtocol` references.
 * Allow cloning `Id<AnyObject>`.
+* **BREAKING**: Restrict message sending to `&mut` references to things that
+  implement `IsAllowedMutable`.
 
 ### Removed
 * **BREAKING**: Removed `ProtocolType` implementation for `NSObject`.

crates/objc2/src/macros/declare_class.rs

@@ -83,8 +83,9 @@
 /// On instance methods, you can freely choose between different types of
 /// receivers, e.g. `&self`, `this: *const Self`, `&mut self`, and so on. Note
 /// though that using raw pointers requires the function to be `unsafe`, and
-/// using `&mut self` requires the class' mutability to be [`IsMutable`].
-/// If you require mutating your class' instance variables, consider using
+/// using `&mut self` requires the class' mutability to be
+/// [`IsAllowedMutable`].
+/// If you require mutation of your class' instance variables, consider using
 /// [`Cell`] or similar instead.
 ///
 /// The desired selector can be specified using the `#[method(my:selector:)]`
@@ -114,7 +115,7 @@
 ///
 /// ["associated functions"]: https://doc.rust-lang.org/reference/items/associated-items.html#methods
 /// ["methods"]: https://doc.rust-lang.org/reference/items/associated-items.html#methods
-/// [`IsMutable`]: crate::mutability::IsMutable
+/// [`IsAllowedMutable`]: crate::mutability::IsAllowedMutable
 /// [`Cell`]: core::cell::Cell
 /// [open an issue]: https://github.com/madsmtm/objc2/issues/new
 /// [`msg_send!`]: crate::msg_send

crates/objc2/src/mutability.rs

@@ -81,6 +81,7 @@ enum Never {}
 /// Functionality that is provided with this:
 /// - [`IsIdCloneable`] -> [`Id::clone`][crate::rc::Id#impl-Clone-for-Id<T>].
 /// - [`IsAllocableAnyThread`] -> [`ClassType::alloc`].
+/// - [`IsAllowedMutable`].
 #[derive(Clone, Copy, PartialEq, Eq, PartialOrd, Ord, Hash, Debug)]
 pub struct Root {
     inner: Never,
@@ -110,6 +111,7 @@ pub struct Immutable {
 ///
 /// Functionality that is provided with this:
 /// - [`IsAllocableAnyThread`] -> [`ClassType::alloc`].
+/// - [`IsAllowedMutable`].
 /// - [`IsMutable`] -> [`impl DerefMut for Id`][crate::rc::Id#impl-DerefMut-for-Id<T>].
 /// - You are allowed to hand out pointers / references to an instance's
 ///   internal data, since you know such data will never be mutated without
@@ -143,6 +145,7 @@ pub struct Mutable {
 /// Functionality that is provided with this:
 /// - [`IsIdCloneable`].
 /// - [`IsAllocableAnyThread`].
+/// - [`IsAllowedMutable`].
 /// - You are allowed to hand out pointers / references to an instance's
 ///   internal data, since you know such data will never be mutated.
 ///
@@ -176,6 +179,7 @@ pub struct ImmutableWithMutableSubclass<MS: ?Sized> {
 ///
 /// Functionality that is provided with this:
 /// - [`IsAllocableAnyThread`] -> [`ClassType::alloc`].
+/// - [`IsAllowedMutable`].
 /// - [`IsMutable`] -> [`impl DerefMut for Id`][crate::rc::Id#impl-DerefMut-for-Id<T>].
 /// - You are allowed to hand out pointers / references to an instance's
 ///   internal data, since you know such data will never be mutated without
@@ -324,7 +328,7 @@ unsafe impl IsIdCloneable for AnyObject {}
 ///
 /// This is a sealed trait, and should not need to be implemented. Open an
 /// issue if you know a use-case where this restrition should be lifted!
-pub unsafe trait IsRetainable: IsIdCloneable {}
+pub unsafe trait IsRetainable: private_traits::Sealed + IsIdCloneable {}
 
 trait MutabilityIsRetainable: MutabilityIsIdCloneable {}
 impl MutabilityIsRetainable for Immutable {}
@@ -368,6 +372,39 @@ unsafe impl<P: ?Sized + ProtocolType + IsAllocableAnyThread> IsAllocableAnyThrea
 {
 }
 
+/// Marker trait for classes that may feasibly be used behind a mutable
+/// reference.
+///
+/// This trait exist mostly to disallow using `&mut self` when declaring
+/// classes, since that would be a huge footgun.
+///
+/// This is implemented for classes whose [`ClassType::Mutability`] is one of:
+/// - [`Root`]
+/// - [`Mutable`]
+/// - [`ImmutableWithMutableSubclass`]
+/// - [`MutableWithImmutableSuperclass`]
+///
+///
+/// # Safety
+///
+/// This is a sealed trait, and should not need to be implemented. Open an
+/// issue if you know a use-case where this restrition should be lifted!
+pub unsafe trait IsAllowedMutable: private_traits::Sealed {}
+
+trait MutabilityIsAllowedMutable: Mutability {}
+impl MutabilityIsAllowedMutable for Root {}
+impl MutabilityIsAllowedMutable for Mutable {}
+impl<MS: ?Sized> MutabilityIsAllowedMutable for ImmutableWithMutableSubclass<MS> {}
+impl<IS: ?Sized> MutabilityIsAllowedMutable for MutableWithImmutableSuperclass<IS> {}
+
+unsafe impl<T: ?Sized + ClassType> IsAllowedMutable for T where
+    T::Mutability: MutabilityIsAllowedMutable
+{
+}
+unsafe impl<P: ?Sized + ProtocolType + IsAllowedMutable> IsAllowedMutable for ProtocolObject<P> {}
+// SAFETY: Same as for root classes.
+unsafe impl IsAllowedMutable for AnyObject {}
+
 /// Marker trait for classes that are only mutable through `&mut`.
 ///
 /// This is implemented for classes whose [`ClassType::Mutability`] is one of:
@@ -378,14 +415,17 @@ unsafe impl<P: ?Sized + ProtocolType + IsAllocableAnyThread> IsAllocableAnyThrea
 /// technically mutable), since it is allowed to mutate through shared
 /// references.
 ///
+/// This trait inherits [`IsAllowedMutable`], so if a function is bound by
+/// this, functionality given with that trait is available.
+///
 ///
 /// # Safety
 ///
 /// This is a sealed trait, and should not need to be implemented. Open an
 /// issue if you know a use-case where this restrition should be lifted!
-pub unsafe trait IsMutable: private_traits::Sealed {}
+pub unsafe trait IsMutable: private_traits::Sealed + IsAllowedMutable {}
 
-trait MutabilityIsMutable: Mutability {}
+trait MutabilityIsMutable: MutabilityIsAllowedMutable {}
 impl MutabilityIsMutable for Mutable {}
 impl<IS: ?Sized> MutabilityIsMutable for MutableWithImmutableSuperclass<IS> {}
 
@@ -616,11 +656,12 @@ mod tests {
         );
     }
 
-    #[allow(unused)]
+    #[allow(unused, clippy::too_many_arguments)]
     fn object_safe(
         _: &dyn IsIdCloneable,
         _: &dyn IsRetainable,
         _: &dyn IsAllocableAnyThread,
+        _: &dyn IsAllowedMutable,
         _: &dyn IsMutable,
         _: &dyn IsMainThreadOnly,
         _: &dyn HasStableHash,

crates/objc2/src/runtime/message.rs

@@ -3,7 +3,7 @@ use core::ptr::{self, NonNull};
 
 use crate::__macro_helpers::{ConvertArgument, ConvertReturn};
 use crate::encode::{Encode, EncodeArguments, EncodeReturn};
-use crate::mutability::IsMutable;
+use crate::mutability::{IsAllowedMutable, IsMutable};
 use crate::rc::Id;
 use crate::runtime::{AnyClass, AnyObject, Imp, Sel};
 use crate::{ClassType, Message};
@@ -573,10 +573,8 @@ unsafe impl<'a, T: ?Sized + Message> MessageReceiver for &'a T {
     }
 }
 
-// TODO: Use `T: IsMutable + Root` here once we can handle `init` methods
-// better in `declare_class!`.
-impl<'a, T: ?Sized + Message> private::Sealed for &'a mut T {}
-unsafe impl<'a, T: ?Sized + Message> MessageReceiver for &'a mut T {
+impl<'a, T: ?Sized + Message + IsAllowedMutable> private::Sealed for &'a mut T {}
+unsafe impl<'a, T: ?Sized + Message + IsAllowedMutable> MessageReceiver for &'a mut T {
     type __Inner = T;
 
     #[inline]

crates/objc2/src/runtime/method_implementation.rs

@@ -2,9 +2,9 @@ use core::mem;
 
 use crate::__macro_helpers::IdReturnValue;
 use crate::encode::{EncodeArgument, EncodeArguments, EncodeReturn, RefEncode};
-use crate::mutability::IsMutable;
+use crate::mutability::IsAllowedMutable;
 use crate::rc::Allocated;
-use crate::runtime::{AnyClass, AnyObject, Imp, Sel};
+use crate::runtime::{AnyClass, Imp, Sel};
 use crate::Message;
 
 mod private {
@@ -116,14 +116,11 @@ macro_rules! method_impl_allocated {
 macro_rules! method_impl_abi {
     ($abi:literal; $($t:ident),*) => {
         method_impl_generic!(<'a> T: Message, R, extern $abi fn(&'a T, Sel $(, $t)*) -> R, $($t),*);
-        method_impl_generic!(<'a> T: Message + IsMutable, R, extern $abi fn(&'a mut T, Sel $(, $t)*) -> R, $($t),*);
+        method_impl_generic!(<'a> T: Message + IsAllowedMutable, R, extern $abi fn(&'a mut T, Sel $(, $t)*) -> R, $($t),*);
         method_impl_generic!(<> T: Message, R, unsafe extern $abi fn(*const T, Sel $(, $t)*) -> R, $($t),*);
         method_impl_generic!(<> T: Message, R, unsafe extern $abi fn(*mut T, Sel $(, $t)*) -> R, $($t),*);
         method_impl_generic!(<'a> T: Message, R, unsafe extern $abi fn(&'a T, Sel $(, $t)*) -> R, $($t),*);
-        method_impl_generic!(<'a> T: Message + IsMutable, R, unsafe extern $abi fn(&'a mut T, Sel $(, $t)*) -> R, $($t),*);
-
-        method_impl_concrete!(<'a> AnyObject, R, extern $abi fn(&'a mut AnyObject, Sel $(, $t)*) -> R, $($t),*);
-        method_impl_concrete!(<'a> AnyObject, R, unsafe extern $abi fn(&'a mut AnyObject, Sel $(, $t)*) -> R, $($t),*);
+        method_impl_generic!(<'a> T: Message + IsAllowedMutable, R, unsafe extern $abi fn(&'a mut T, Sel $(, $t)*) -> R, $($t),*);
 
         method_impl_concrete!(<'a> AnyClass, R, extern $abi fn(&'a AnyClass, Sel $(, $t)*) -> R, $($t),*);
         method_impl_concrete!(<> AnyClass, R, unsafe extern $abi fn(*const AnyClass, Sel $(, $t)*) -> R, $($t),*);

crates/test-ui/ui/declare_class_mut_self_not_mutable.rs

@@ -13,7 +13,7 @@ declare_class!(
 
     unsafe impl CustomObject {
         #[method(initTest)]
-        fn initTest(&mut self) -> &mut Self {
+        fn init_test(&mut self) -> &mut Self {
             unimplemented!()
         }
 

crates/test-ui/ui/declare_class_mut_self_not_mutable.stderr

@@ -1,4 +1,4 @@
-error[E0277]: the trait bound `InteriorMutable: mutability::MutabilityIsMutable` is not satisfied
+error[E0277]: the trait bound `InteriorMutable: mutability::MutabilityIsAllowedMutable` is not satisfied
  --> ui/declare_class_mut_self_not_mutable.rs
   |
   | / declare_class!(
@@ -10,13 +10,15 @@ error[E0277]: the trait bound `InteriorMutable: mutability::MutabilityIsMutable`
   | | );
   | | ^
   | | |
-  | |_the trait `mutability::MutabilityIsMutable` is not implemented for `InteriorMutable`
+  | |_the trait `mutability::MutabilityIsAllowedMutable` is not implemented for `InteriorMutable`
   |   required by a bound introduced by this call
   |
-  = help: the following other types implement trait `mutability::MutabilityIsMutable`:
+  = help: the following other types implement trait `mutability::MutabilityIsAllowedMutable`:
+            Root
             Mutable
+            ImmutableWithMutableSubclass<MS>
             MutableWithImmutableSuperclass<IS>
-  = note: required for `CustomObject` to implement `IsMutable`
+  = note: required for `CustomObject` to implement `IsAllowedMutable`
   = note: required for `extern "C" fn(&mut CustomObject, objc2::runtime::Sel) -> &mut CustomObject` to implement `MethodImplementation`
 note: required by a bound in `ClassBuilder::add_method`
  --> $WORKSPACE/crates/objc2/src/declare/mod.rs
@@ -28,7 +30,7 @@ note: required by a bound in `ClassBuilder::add_method`
   |            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ required by this bound in `ClassBuilder::add_method`
   = note: this error originates in the macro `$crate::__declare_class_register_out` which comes from the expansion of the macro `declare_class` (in Nightly builds, run with -Z macro-backtrace for more info)
 
-error[E0277]: the trait bound `InteriorMutable: mutability::MutabilityIsMutable` is not satisfied
+error[E0277]: the trait bound `InteriorMutable: mutability::MutabilityIsAllowedMutable` is not satisfied
  --> ui/declare_class_mut_self_not_mutable.rs
   |
   | / declare_class!(
@@ -40,13 +42,15 @@ error[E0277]: the trait bound `InteriorMutable: mutability::MutabilityIsMutable`
   | | );
   | | ^
   | | |
-  | |_the trait `mutability::MutabilityIsMutable` is not implemented for `InteriorMutable`
+  | |_the trait `mutability::MutabilityIsAllowedMutable` is not implemented for `InteriorMutable`
   |   required by a bound introduced by this call
   |
-  = help: the following other types implement trait `mutability::MutabilityIsMutable`:
+  = help: the following other types implement trait `mutability::MutabilityIsAllowedMutable`:
+            Root
             Mutable
+            ImmutableWithMutableSubclass<MS>
             MutableWithImmutableSuperclass<IS>
-  = note: required for `CustomObject` to implement `IsMutable`
+  = note: required for `CustomObject` to implement `IsAllowedMutable`
   = note: required for `extern "C" fn(&mut CustomObject, objc2::runtime::Sel)` to implement `MethodImplementation`
 note: required by a bound in `ClassBuilder::add_method`
  --> $WORKSPACE/crates/objc2/src/declare/mod.rs
@@ -58,7 +62,7 @@ note: required by a bound in `ClassBuilder::add_method`
   |            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ required by this bound in `ClassBuilder::add_method`
   = note: this error originates in the macro `$crate::__declare_class_register_out` which comes from the expansion of the macro `declare_class` (in Nightly builds, run with -Z macro-backtrace for more info)
 
-error[E0277]: the trait bound `InteriorMutable: mutability::MutabilityIsMutable` is not satisfied
+error[E0277]: the trait bound `InteriorMutable: mutability::MutabilityIsAllowedMutable` is not satisfied
  --> ui/declare_class_mut_self_not_mutable.rs
   |
   | / declare_class!(
@@ -70,13 +74,15 @@ error[E0277]: the trait bound `InteriorMutable: mutability::MutabilityIsMutable`
   | | );
   | | ^
   | | |
-  | |_the trait `mutability::MutabilityIsMutable` is not implemented for `InteriorMutable`
+  | |_the trait `mutability::MutabilityIsAllowedMutable` is not implemented for `InteriorMutable`
   |   required by a bound introduced by this call
   |
-  = help: the following other types implement trait `mutability::MutabilityIsMutable`:
+  = help: the following other types implement trait `mutability::MutabilityIsAllowedMutable`:
+            Root
             Mutable
+            ImmutableWithMutableSubclass<MS>
             MutableWithImmutableSuperclass<IS>
-  = note: required for `CustomObject` to implement `IsMutable`
+  = note: required for `CustomObject` to implement `IsAllowedMutable`
   = note: required for `extern "C" fn(&mut CustomObject, objc2::runtime::Sel) -> IdReturnValue` to implement `MethodImplementation`
 note: required by a bound in `ClassBuilder::add_method`
  --> $WORKSPACE/crates/objc2/src/declare/mod.rs
@@ -87,3 +93,25 @@ note: required by a bound in `ClassBuilder::add_method`
   |         F: MethodImplementation<Callee = T>,
   |            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ required by this bound in `ClassBuilder::add_method`
   = note: this error originates in the macro `$crate::__declare_class_register_out` which comes from the expansion of the macro `declare_class` (in Nightly builds, run with -Z macro-backtrace for more info)
+
+error[E0277]: the trait bound `InteriorMutable: mutability::MutabilityIsAllowedMutable` is not satisfied
+ --> ui/declare_class_mut_self_not_mutable.rs
+  |
+  | / declare_class!(
+  | |     struct CustomObject;
+  | |
+  | |     unsafe impl ClassType for CustomObject {
+... |
+  | |     }
+  | | );
+  | |_^ the trait `mutability::MutabilityIsAllowedMutable` is not implemented for `InteriorMutable`
+  |
+  = help: the following other types implement trait `mutability::MutabilityIsAllowedMutable`:
+            Root
+            Mutable
+            ImmutableWithMutableSubclass<MS>
+            MutableWithImmutableSuperclass<IS>
+  = note: required for `CustomObject` to implement `IsAllowedMutable`
+  = note: required for `&mut CustomObject` to implement `MessageReceiver`
+  = note: required for `RetainSemantics<5>` to implement `MessageRecieveId<&mut CustomObject, Id<CustomObject>>`
+  = note: this error originates in the macro `$crate::__rewrite_self_param_inner` which comes from the expansion of the macro `declare_class` (in Nightly builds, run with -Z macro-backtrace for more info)

crates/test-ui/ui/extern_methods_not_allowed_mutable.rs

@@ -0,0 +1,29 @@
+//! Test extern_methods! with mutable receivers that are not IsAllowedMutable.
+use objc2::rc::Id;
+use objc2::runtime::NSObject;
+use objc2::{extern_class, extern_methods, mutability, ClassType};
+
+extern_class!(
+    pub struct MyObject;
+
+    unsafe impl ClassType for MyObject {
+        type Super = NSObject;
+        type Mutability = mutability::InteriorMutable;
+    }
+);
+
+extern_methods!(
+    unsafe impl MyObject {
+        #[method(test)]
+        fn test(&mut self);
+    }
+);
+
+extern_methods!(
+    unsafe impl MyObject {
+        #[method_id(testId)]
+        fn test_id(&mut self) -> Id<Self>;
+    }
+);
+
+fn main() {}