Support field-wise CoerceShared reborrows

[P8L1]

View all comments

This PR extends generic shared reborrows so that CoerceShared validates and lowers source-to-target structs field by field, rather than relying on a same-layout, transmute-like copy.

The core change is a shared rustc_middle::ty::reborrow helper that computes the field correspondence used by CoerceShared validation, borrow checking, const-eval, and codegen.

The correspondence rules are:

• Named structs match non-PhantomData data fields by name.
• Tuple structs match non-PhantomData data fields by position.
• PhantomData fields are ignored.
• Every target data field must correspond to a source data field.

CoerceShared impl validation now checks each corresponding field relation. A field relation is accepted when the field is:

• Copy-compatible,
• recursively CoerceShared-compatible, or
• a mutable-reference-to-shared-reference reborrow.

The validation also rejects mismatched field styles, missing source fields, mismatched reborrow lifetimes, and inaccessible fields with targeted diagnostics.

Borrowck now adds shared generic reborrow constraints recursively through the validated field relations, while still issuing the loan for the original source place as a whole. This ensures source-only fields remain protected for the inferred target lifetime when the target omits fields from the source.

Const-eval and codegen now lower shared generic reborrows recursively into the target fields instead of treating the operation as a transmute-like copy. This covers nested CoerceShared fields and layout-changing source/target pairs.

Fixes

Fixes #156566.
Fixes #156309.
Fixes #156315.

PR scope

I did not split these into smaller PRs because the issues mostly share the same root cause: CoerceShared needed a field-by-field validation and lowering model. So when making this, I just decided to write it in a way that will fix the issues anyway.

Tracking

#145612
https://rust-lang.github.io/rust-project-goals/2025h2/autoreborrow-traits.html

CC. @aapoalas, @dingxiangfei2009
r? @RalfJung

[rust-bors]

🔨 5 commits were squashed into b8e47e8.

[rust-bors]

Unclosed quote in argument. Run @bors help to see available commands.

[P8L1]

@bors squash msg="Support field-wise CoerceShared reborrows"

[rust-bors]

🔨 7 commits were squashed into 8987e4a.

[rustbot]

Some changes occurred to the CTFE machinery

cc @RalfJung, @oli-obk, @lcnr

Some changes occurred to the CTFE / Miri interpreter

cc @rust-lang/miri

This PR changes MIR

cc @oli-obk, @RalfJung, @JakobDegen, @vakaras

The Cranelift subtree was changed

cc @bjorn3

[rustbot]

r? @folkertdev

rustbot has assigned @folkertdev.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

Why was this reviewer chosen?

The reviewer was selected based on:

• Owners of files modified in this PR: compiler
• compiler expanded to 73 candidates
• Random selection from 17 candidates

[rustbot]

RalfJung is not on the review rotation at the moment.
They may take a while to respond.

[RalfJung]

Why are you asking for my review here? I have nothing to do with this feature and don't have capacity to take on a new feature, especially not a massive PR like this.

@rustbot reroll

[P8L1]

Why are you asking for my review here? I have nothing to do with this feature and don't have capacity to take on a new feature, especially not a massive PR like this.

@rustbot reroll

Oh I'm Sorry I did not think much.

I inferred from #156955 that you might be the right person to look specifically at the CTFE/Miri part, since that PR also touched reborrow const-eval/interpreter code and you reviewed it. But I understand now that this might be a bit to much to review on top of the work you already have..

Once again sorry, have a nice day

[RalfJung]

Looks like this is associated with https://rust-lang.github.io/rust-project-goals/2026/reborrow-traits.html ?
Cc @aapoalas -- is there a long-term plan for this proposal? If such non-trivial MIR semantics are needed, a "small" compiler team ask may not quite reflect the amount of work this may take. Also see this thread.

[RalfJung]

r? @oli-obk
who is the compiler liaison for that goal.

Also @P8L1 when you do work for a project goal, that's a good thing to mention in the PR description. If you're not aware of the project goal here, please coordinate with @aapoalas and @oli-obk.

[P8L1]

r? @oli-obk who is the compiler liaison for that goal.

Also @P8L1 when you do work for a project goal, that's a good thing to mention in the PR description. If you're not aware of the project goal here, please coordinate with @aapoalas and @oli-obk.

Hi Ralf, sorry, I always thought the tracking issue was enough. Thanks for the correction, I won't make the mistake again!

[RalfJung]

Fair, the tracking issue should in principle suffice. But not everyone always clicks through all the links. ;)

[dingxiangfei2009]

Hello @P8L1 and thank you for taking interest in the reborrow work.

With per-field reborrowing the proposed design will break away from a few fundamental but important assumptions and intended use cases of this language feature. A design document would certainly bring @aapoalas and me onto the same page and help us understand why the extension would be desirable. Let us chat on Zulip as well if you need any help.

[P8L1]

Hello @P8L1 and thank you for taking interest in the reborrow work.

With per-field reborrowing the proposed design will break away from a few fundamental but important assumptions and intended use cases of this language feature. A design document would certainly bring @aapoalas and me onto the same page and help us understand why the extension would be desirable. Let us chat on Zulip as well if you need any help.

Thanks, that makes sense.

I wrote up a PR-specific design note here please review it and share your thoughts so this PR can proceed!

[P8L1]

Borrow-set gathering records MIR Reborrow loans.
This file now treats malformed generic reborrow shapes as delayed compiler bugs instead of hard panics.

View changes since the review

[P8L1]

This replaces unreachable!/bug! assumptions with delayed bugs and early returns.
The borrow-set visitor can now avoid constructing a loan from invalid generic reborrow MIR.

View changes since the review

[P8L1]

Borrowck type checking is where generic reborrow MIR becomes region and type constraints.
The main change is replacing ad hoc one-field CoerceShared handling with recursive field-wise constraints.

View changes since the review

[P8L1]

This turns shape assumptions on the reborrow target into MIR bugs with early returns.
Borrowck still records liveness for the target lifetime, but only after proving the first generic arg is a lifetime.

View changes since the review

[P8L1]

The previous local name-based loop is replaced by a recursive helper call.
The key invariant is that validation, borrowck, and materialization all consume the same canonical field pairs.

View changes since the review

[theemathas]

This PR currently does not correctly handle decl_macro hygiene:

#![feature(reborrow, decl_macro)]

use std::marker::{CoerceShared, Reborrow};

macro my_macro($field:ident) {
    pub struct MyMut<'a> {
        $field: &'a i32,
        field: &'a i64,
    }

    #[derive(Clone, Copy)]
    pub struct MyRef<'a> {
        $field: &'a i32,
        field: &'a i64,
    }

    impl Reborrow for MyMut<'_> {}

    impl<'a> CoerceShared<MyRef<'a>> for MyMut<'a> {}
}

my_macro!(field);

error: implementing `CoerceShared` requires corresponding fields to match, be reborrowable with `CoerceShared`, or coerce a mutable reference field to a shared reference field
  --> src/lib.rs:14:9
   |
 7 |         $field: &'a i32,
   |         --------------- source field `field` has type `&'a i32`
...
14 |         field: &'a i64,
   |         ^^^^^^^^^^^^^^ target field `field` has type `&'a i64`
...
22 | my_macro!(field);
   | ---------------- in this macro invocation
   |
   = note: this error originates in the macro `my_macro` (in Nightly builds, run with -Z macro-backtrace for more info)

[P8L1]

Exclusive reborrows keep the ordinary same-type relation but now report a MIR bug instead of unwrapping.
This is defensive behavior for malformed MIR and does not change the success path.

View changes since the review

[P8L1]

This helper recursively walks the validated CoerceShared field relation.
It normalizes field types in borrowck's inference context before deciding whether to relate leaves or recurse.

View changes since the review

[P8L1]

The &mut T to &T leaf relates pointee types structurally and then emits the target-outlives-source constraint.
This mirrors built-in shared reborrowing while allowing aliases and projections in the pointee type.

View changes since the review

[P8L1]

Distinct ADTs are expanded through canonical CoerceShared field pairs, then each field pair is related recursively.
This is the borrowck side of nested field-wise reborrows such as OuterMut to OuterRef.

View changes since the review

[P8L1]

The fallback relates non-recursive leaves structurally, including aliases, using the same variance as the old field loop.
This covers copied scalar fields and equal field types after normalization.

View changes since the review

[P8L1]

HIR type checking creates the generic reborrow coercion adjustment before MIR borrowck sees it. This file adds a structural shape guard so only field-corresponding CoerceShared impls produce reborrow MIR.

View changes since the review

[P8L1]

HIR typeck imports the shared reborrow helper for a structural shape guard before creating a reborrow adjustment. This keeps obviously malformed CoerceShared shapes out of MIR.

View changes since the review

[P8L1]

The method comment is corrected to describe CoerceShared shared reborrowing, matching the code path below. The new shape guard rejects non-structs, missing lifetimes, and missing field correspondence before registering the trait obligation.

View changes since the review

[P8L1]

This helper checks only ADT struct shape, exactly-one-lifetime presence, and successful canonical field pairing. It does not inspect per-field type compatibility beyond what the pair helper needs for field metadata.

View changes since the review

[P8L1]

This helper is the HIR typeck shape gate for producing ExprKind::Reborrow adjustments. It accepts only struct ADTs with one lifetime argument each and successful canonical field pairing.

View changes since the review

[P8L1]

This PR currently does not correctly handle decl_macro hygiene:

#![feature(reborrow, decl_macro)]

use std::marker::{CoerceShared, Reborrow};

macro my_macro($field:ident) {
    pub struct MyMut<'a> {
        $field: &'a i32,
        field: &'a i64,
    }

    #[derive(Clone, Copy)]
    pub struct MyRef<'a> {
        $field: &'a i32,
        field: &'a i64,
    }

    impl Reborrow for MyMut<'_> {}

    impl<'a> CoerceShared<MyRef<'a>> for MyMut<'a> {}
}

my_macro!(field);

error: implementing `CoerceShared` requires corresponding fields to match, be reborrowable with `CoerceShared`, or coerce a mutable reference field to a shared reference field
  --> src/lib.rs:14:9
   |
 7 |         $field: &'a i32,
   |         --------------- source field `field` has type `&'a i32`
...
14 |         field: &'a i64,
   |         ^^^^^^^^^^^^^^ target field `field` has type `&'a i64`
...
22 | my_macro!(field);
   | ---------------- in this macro invocation
   |
   = note: this error originates in the macro `my_macro` (in Nightly builds, run with -Z macro-backtrace for more info)

Ok im going to fix this now then finish comments

[P8L1]

This new helper module is the canonical home for Reborrow and CoerceShared field metadata: it extracts participating ADT fields, preserves projection indices and spans, filters PhantomData, and computes source-to-target field pairs.

View changes since the review

[P8L1]

This struct is the data contract for one participating field. index preserves the real ADT field index for MIR projection, ident is needed for hygiene-aware named-field matching, name is kept for diagnostics, ty is the instantiated field type, and span lets validation point at the field that caused the problem.

The split between ident and name matters: name is useful for user-facing output, but matching named fields must not be reduced to raw textual-name equality.

View changes since the review

[P8L1]

CoerceSharedFieldPair is the normalized relation later compiler phases operate on: each target field has a specific source field. The error enum keeps correspondence failures field-local, distinguishing mismatched struct styles from a target field that has no valid source-side data field.

View changes since the review

[P8L1]

This function extracts the instantiated non-PhantomData fields that actually participate in field-wise reborrowing. It deliberately preserves the original FieldIdx, because matching ignores marker fields but MIR / CTFE / codegen still need to project from the real ADT layout.

View changes since the review

[P8L1]

This is the boundary between named-field and tuple-field correspondence. CoerceShared does not allow named structs and tuple structs to be matched against each other, because the meaning of “corresponding field” is different in the two styles.

View changes since the review

[P8L1]

Tuple structs match by filtered data-field ordinal, not by original field index. This lets PhantomData be ignored for correspondence while still preserving each field’s original FieldIdx inside the returned pair for later projection.

View changes since the review

[P8L1]

The repeat(None) tail makes the target-driven failure mode explicit: every target data field must have a corresponding source data field. Extra source fields do not matter for constructing the shared target view, but missing source fields are rejected.

View changes since the review

[P8L1]

This is the hygiene-sensitive part of named-field correspondence. Two fields can print with the same textual name under decl_macro while still being distinct identifiers, so this must use rustc’s hygienic field identity rather than raw Symbol equality. (The decl macro hygiene bug was caused by me just comparing names)

View changes since the review

[P8L1]

The named-field branch is target-driven: each non-PhantomData target field must resolve to a hygienically corresponding source field. If no source field matches, the helper reports the target field as missing instead of silently omitting it or falling back to position.

View changes since the review

[theemathas]

The CoerceShared impl check does not resolve associated types before checking whether the field types match. Is this intentional?

#![feature(reborrow)]

use std::marker::{CoerceShared, Reborrow};

trait Trait {
    type Assoc;
}
impl Trait for i32 {
    type Assoc = i64;
}

struct MyMut<'a> {
    x: &'a (),
    y: i64,
}

#[derive(Copy, Clone)]
struct MyRef<'a> {
    x: &'a (),
    y: <i32 as Trait>::Assoc,
}

impl Reborrow for MyMut<'_> {}

impl<'a> CoerceShared<MyRef<'a>> for MyMut<'a> {}

error: implementing `CoerceShared` requires corresponding fields to match, be reborrowable with `CoerceShared`, or coerce a mutable reference field to a shared reference field
  --> src/lib.rs:20:5
   |
14 |     y: i64,
   |     ------ source field `y` has type `i64`
...
20 |     y: <i32 as Trait>::Assoc,
   |     ^^^^^^^^^^^^^^^^^^^^^^^^ target field `y` has type `<i32 as Trait>::Assoc`

[theemathas]

The CoerceShared impl check does not verify that lifetimes match. Is this intentional?

// Compiles without errors

#![feature(reborrow)]

use std::marker::{CoerceShared, Reborrow};

struct MyMut<'a> {
    x: &'static (),
    y: &'a (),
}

#[derive(Copy, Clone)]
struct MyRef<'a> {
    x: &'a (),
    y: &'static (),
}

impl Reborrow for MyMut<'_> {}

impl<'a> CoerceShared<MyRef<'a>> for MyMut<'a> {}

[P8L1]

Ok I would like to start off by saying sorry for all the pings.
I have fixed the decl macro hygiene issues.

I have recently received valid criticism about the reviewability of this PR. Thus, I took my self-review notes, summarised them and posted them as review comments here. This was done to make it easier for reviewers to wrap their heads around the changes.

I have also updated the Design Note to reflect the new decl_macro hygiene changes

[P8L1]

The CoerceShared impl check does not resolve associated types before checking whether the field types match. Is this intentional?

#![feature(reborrow)]

use std::marker::{CoerceShared, Reborrow};

trait Trait {
    type Assoc;
}
impl Trait for i32 {
    type Assoc = i64;
}

struct MyMut<'a> {
    x: &'a (),
    y: i64,
}

#[derive(Copy, Clone)]
struct MyRef<'a> {
    x: &'a (),
    y: <i32 as Trait>::Assoc,
}

impl Reborrow for MyMut<'_> {}

impl<'a> CoerceShared<MyRef<'a>> for MyMut<'a> {}

error: implementing `CoerceShared` requires corresponding fields to match, be reborrowable with `CoerceShared`, or coerce a mutable reference field to a shared reference field
  --> src/lib.rs:20:5
   |
14 |     y: i64,
   |     ------ source field `y` has type `i64`
...
20 |     y: <i32 as Trait>::Assoc,
   |     ^^^^^^^^^^^^^^^^^^^^^^^^ target field `y` has type `<i32 as Trait>::Assoc`

The CoerceShared impl check does not verify that lifetimes match. Is this intentional?

// Compiles without errors

#![feature(reborrow)]

use std::marker::{CoerceShared, Reborrow};

struct MyMut<'a> {
    x: &'static (),
    y: &'a (),
}

#[derive(Copy, Clone)]
struct MyRef<'a> {
    x: &'a (),
    y: &'static (),
}

impl Reborrow for MyMut<'_> {}

impl<'a> CoerceShared<MyRef<'a>> for MyMut<'a> {}

Thanks, both of these were bugs in the impl validation rather than intentional behavior.

I pushed a fix in Validate CoerceShared field relations after normalization. CoerceShared field validation now structurally normalizes the field types before accepting equality or the built-in &mut T -> &T field relation, evaluates the generated obligations, and resolves region constraints before returning success.

That fixes the associated-type case because <i32 as Trait>::Assoc is normalized before the field equality check. It also rejects the swapped-lifetime case because field-internal lifetime constraints are now actually resolved instead of relying only on the top-level reborrow lifetime argument.