Revert "Do not check privacy for RPITIT."

[mladedav]

The changes here were first merged in #143357 and later reverted in #144098 as it introduces new hard errors. There was a crater run tracked in #144139 to see how much projects would be broken (not that many, a few repositories on github are affected).

This reenables hard errors for privacy in RPITIT.

Fixes #143531
Closes #144139
Hopefully closes #71043

[rustbot]

compiler-errors is not on the review rotation at the moment.
They may take a while to respond.

[compiler-errors]

r? cjgillot

[mladedav]

Gentle ping @cjgillot

[joshtriplett]

This came up in today's @rust-lang/lang meeting. It's clear why this needed an FCP (as it's a breaking change), but we didn't feel like we had the context. Could we get a clear ask for what exactly the new hard error is that we're reviewing?

Does this just make it a hard error to write a public trait that has something like -> impl Trait using a private trait? Or is there more to it than that? The discussion in #144139 makes it sound like it's substantially more complex and subtle than that.

[mladedav]

It is a little bit more subtle in the current form, the main weirdness I remember is that creating a required method returning a private impl trait does not error out, only providing an implementation does, so

pub trait Foo {
    fn required_impl_trait() -> impl Private;
}

does not error while

pub trait Foo {
    fn required_impl_trait() -> impl Private;
}

impl Foo for S {
    fn required_impl_trait() -> impl Private { X }
}

and

pub trait Foo {
    fn provided_impl_trait() -> impl Private { X }
}

both error out.

The error is also reported when the Private trait is used in generic bounds of the method.

And then for AFIT it seems to work the same after desugaring, so async fn required_async_concrete() -> PrivateStruct; works the same way as it desugars to returning an impl trait which is considered private due to its private associated type. So declaring the method in the trait is not linted while implementing it is.

As I understand it, this is not as strict as it should be based on @petrochenkov's comment and even the first case of defining the trait should be rejected.

Here is a playground with more cases to see what does and does not produce errors (though the errors are just comments but compiling the code on this branch should provide the stated results).

---

To summarize, this adds errors when using a private trait in RPITIT but when the offending trait is not used in a trait bound and an implementation is not provided, there is a false negative an the error is not emitted even though it should be.

[traviscross]

@bors2 try

[traviscross]

@mladedav: I'm having trouble working out the reason why we'd give a hard error for the RPIT-in-trait-impl,

trait PrivTr {}
impl PrivTr for () {}
#[expect(private_bounds)]
pub trait PubTr {
    fn f1() -> impl PrivTr;
}
impl<T> PubTr for T {
    #[expect(private_interfaces)]
    fn f1() -> impl PrivTr {}
    //~^ error[E0446]: private trait `PrivTr` in public interface
    //~| help: can't leak private trait
}

given that we don't give an error for an RPIT-in-free-function,

trait PrivTr {}
impl PrivTr for () {}

#[expect(private_interfaces)]
pub fn f2() -> impl PrivTr {} //~ OK

and given that we allow the comparable associated type desugaring of the RPITIT:

trait PrivTr {}
impl PrivTr for () {}
pub trait PubTr {
    #[expect(private_bounds)]
    type F1: PrivTr; //~ OK
    fn f1() -> Self::F1;
}
impl<T> PubTr for T {
    type F1 = ();
    fn f1() -> Self::F1 {}
}

What's the rationale here?

cc @petrochenkov

---

I note that on nightly we give an error for this, when desugaring the RPIT-in-trait-impl to ATPIT:

#![feature(impl_trait_in_assoc_type)]
trait PrivTr {}
impl PrivTr for () {}
pub trait PubTr {
    #[expect(private_bounds)]
    type F1: PrivTr; //~ OK
    fn f1() -> Self::F1;
}
impl<T> PubTr for T {
    type F1 = impl PrivTr;
    //~^ error[E0446]: private trait `PrivTr` in public interface
    fn f1() -> Self::F1 {}
}

What's the rationale here? It makes sense why we can't leak a private type in this way -- we'd then be allowing a private type to be named. Why does this rise to the level of a hard error for a private trait in an impl trait bound?

---

Also, on the PR, I notice that placing the expect over the trait item doesn't work.

trait PrivTr {}
impl PrivTr for () {}
pub trait PubTr {
    #[expect(private_bounds)] //~ warning: this lint expectation is unfulfilled
    fn f1() -> impl PrivTr;
    //~^ warning: trait `PrivTr` is more private than the item `PubTr::f1::{anon_assoc#0}`
}

Should it?

[rust-bors]

☀️ Try build successful (CI)
Build commit: e117153 (e117153a45c546e883c1f91d82611775fcaeffe0, parent: c90bcb9571b7aab0d8beaa2ce8a998ffaf079d38)

[traviscross]

@craterbot check

[craterbot]

👌 Experiment pr-146470 created and queued.
🤖 Automatically detected try build e117153
🔍 You can check out the queue and this experiment's details.

ℹ️ Crater is a tool to run experiments across parts of the Rust ecosystem. Learn more

[craterbot]

🚧 Experiment pr-146470 is now running

ℹ️ Crater is a tool to run experiments across parts of the Rust ecosystem. Learn more

[tmandry]

@petrochenkov Do you agree with the analysis I wrote above?

Also, regarding the equivalence to associated types, in the lang meeting we were surprised to see that this compiled:

mod m {
    pub trait Outer {
        #[expect(private_bounds)]
        type Inner: Private;
        fn get(&self) -> Self::Inner;
    }
    trait Private {}
}

fn foo<T: m::Outer>(inp: &T) {
    let x: T::Inner = inp.get();
}

[petrochenkov]

@petrochenkov Do you agree with the analysis I wrote above?

I agree.

Also, regarding the equivalence to associated types, in the lang meeting we were surprised to see that this compiled:

Discussed above in #146470 (comment).
Upd: I think c5221eb should be bundled into this PR and everything should be merged together.

[tmandry]

Thanks for confirming @petrochenkov. So if I understand correctly, another framing we can use is that there was a bug in how we handled associated type bounds (it's a bug in that it diverged from the original pub-in-priv RFC). Together with c5221eb, this PR would be fixing that bug both in direct associated types and in RPITITs (which desugar to associated types).

[tmandry]

I've updated the lang report in #146470 (comment).

[tmandry]

@petrochenkov Has a crater run ever been done for c5221eb?

If not, could one of you include it in this PR and kick off a crater run please?

[petrochenkov]

Has a crater run ever been done for c5221eb?

No

[rustbot]

⚠️ Warning ⚠️

• This PR is based on an upstream commit that is older than 28 days.

  It's recommended to update your branch according to the rustc-dev-guide.

[mladedav]

I've added 14fea185a93 which seems to be the same commit, but I couldn't find c5221eb anywhere in the history or petrochenkov's fork.

@craterbot check

[craterbot]

🔒 Error: you're not allowed to interact with this bot.

🔑 If you are a member of a Rust team and need access, please update rust-lang/team to grant your team or yourself access to the crater permission.
ℹ️ Crater is a tool to run experiments across parts of the Rust ecosystem. Learn more

[rust-log-analyzer]

The job x86_64-gnu-gcc failed! Check out the build log: (web) (plain enhanced) (plain)

Click to see the possible cause of the failure (guessed by this bot)

---- [pretty] tests/pretty/qpath-associated-type-bound.rs stdout ----
------rustc stdout------------------------------

------rustc stderr------------------------------
error[E0446]: private trait `Tu` in public interface
##[error]  --> <anon>:6:9
   |
 6 |         type Ts: super::Tu;
   |         ^^^^^^^^^^^^^^^^^^ can't leak private trait
...
10 | trait Tu {
   | -------- `Tu` declared as private

warning: trait `Tu` is never used
##[warning]  --> <anon>:10:7
   |
10 | trait Tu {
   |       ^^
   |
   = note: `#[warn(dead_code)]` (part of `#[warn(unused)]`) on by default

warning: function `foo` is never used
##[warning]  --> <anon>:14:4
   |
14 | fn foo<T: m::Tr>() { <T as m::Tr>::Ts::dummy(); }
   |    ^^^

warning: trait `Tr` is never used
##[warning] --> <anon>:5:15
  |
---
------------------------------------------

error: pretty-printed source does not typecheck
status: exit status: 1
command: env -u RUSTC_LOG_COLOR RUSTC_ICE="0" RUST_BACKTRACE="short" "/checkout/obj/build/x86_64-unknown-linux-gnu/stage2/bin/rustc" "-" "-Zno-codegen" "--out-dir" "/checkout/obj/build/x86_64-unknown-linux-gnu/test/pretty/qpath-associated-type-bound/qpath-associated-type-bound.pretty-out" "--target=x86_64-unknown-linux-gnu" "-L" "/checkout/obj/build/x86_64-unknown-linux-gnu/test/pretty" "-L" "/checkout/obj/build/x86_64-unknown-linux-gnu/test/pretty/qpath-associated-type-bound/auxiliary.pretty" "-A" "internal_features" "--check-cfg" "cfg(test,FALSE)" "-Crpath" "-Cdebuginfo=0"
stdout: none
--- stderr -------------------------------
error[E0446]: private trait `Tu` in public interface
##[error]  --> <anon>:6:9
   |
 6 |         type Ts: super::Tu;
   |         ^^^^^^^^^^^^^^^^^^ can't leak private trait
...
10 | trait Tu {
   | -------- `Tu` declared as private

warning: trait `Tu` is never used
##[warning]  --> <anon>:10:7
   |
10 | trait Tu {
   |       ^^
   |
   = note: `#[warn(dead_code)]` (part of `#[warn(unused)]`) on by default

warning: function `foo` is never used
##[warning]  --> <anon>:14:4
   |
14 | fn foo<T: m::Tr>() { <T as m::Tr>::Ts::dummy(); }
   |    ^^^

warning: trait `Tr` is never used
##[warning] --> <anon>:5:15
  |

For more information how to resolve CI failures of this job, visit this link.

[traviscross]

@bors2 try

[tmandry]

@rfcbot resolve is my understanding correct

I think I understand this now and am comfortable with moving forward conservatively, pending crater results.

@rfcbot reviewed
@rfcbot concern crater run results

[nikomatsakis]

As I said in the meeting:

@rfcbot reviewed

This seems like a sensible extension and intuitively matches what we do for returning a value of a private struct. Longer term, I would still like to reframe our privacy rules in terms of "capabilities associated with a trait" as I described earlier, and before we actually land this I do want to see the results of the crater run, but generally convinced this is the right next step.

[rust-bors]

☀️ Try build successful (CI)
Build commit: 81ab7f2 (81ab7f2139295590561adbe6d5b0aaa2feff765f, parent: 377656d3dd3f9c23a9c8713e163f4365a5261a84)

[petrochenkov]

@craterbot check

[craterbot]

👌 Experiment pr-146470-3 created and queued.
🤖 Automatically detected try build 81ab7f2
🔍 You can check out the queue and this experiment's details.

ℹ️ Crater is a tool to run experiments across parts of the Rust ecosystem. Learn more

[craterbot]

🚧 Experiment pr-146470-3 is now running

ℹ️ Crater is a tool to run experiments across parts of the Rust ecosystem. Learn more

[craterbot]

🎉 Experiment pr-146470-3 is completed!
📊 3661 regressed and 3 fixed (757534 total)
📊 1978 spurious results on the retry-regressed-list.txt, consider a retry¹ if this is a significant amount.
📰 Open the summary report.

⚠️ If you notice any spurious failure please add them to the denylist!
ℹ️ Crater is a tool to run experiments across parts of the Rust ecosystem. Learn more

Footnotes

1. re-run the experiment with crates=https://crater-reports.s3.amazonaws.com/pr-146470-3/retry-regressed-list.txt ↩

[petrochenkov]

Most of the regressions are crates depending on image-0.25.(7,8,9).
Time to resurrect the private_in_public future compatibility warning, I guess, it was used for closing similar holes in the past.