Avoid leaking internal pointers with 'static lifetimes

[erickt]

the get_root methods were tripping over the bug rust-lang/rust#13853, which is unable to handle a method like fn foo<'a, T: Bar<'a>>(...). This PR avoids that bug by moving the lifetime onto the trait.

[dwrensha]

This change might give the get_root methods a slightly saner appearance, but as far as I can tell it doesn't make them any safer.

E.g., after applying this PR, the following still typechecks, even though the foo() function returns an invalid pointer:

#![crate_type = "bin"]

extern crate capnp;
pub mod addressbook_capnp;

pub mod addressbook {
    use addressbook_capnp::address_book;
    use capnp::{MessageBuilder, MallocMessageBuilder};

    pub fn foo<'a>() -> address_book::Builder<'a> {
        let mut message = MallocMessageBuilder::new_default();
        let address_book = message.init_root::<address_book::Builder>();
        return address_book;
    }

}

pub fn main() {}

To get the safety we want, I think we really need to be able to constrain the lifetime of the output by the lifetime of the input, like this:

fn get_root<'a, T : layout::FromStructReader<'a>>(&'a self) -> T 

Maddeningly, there were a few months over the summer where I could actually use this signature and it appeared to do what I wanted. But as of about a month ago, it looks like we again need to wait for a fix to rust-lang/rust#13853. :(

As far as I understand, this PR would also make it impossible to seal a MessageReader as a trait object (i.e. a Box<MessageReader>) that fulfills core::kinds::Send. That limitation might be annoying for some use cases.

P.S. I do appreciate the attention you're giving this project! If nothing else, you're reinforcing the notion that I need to work on documentation.

[erickt]

I'm betting the reason why we're not getting our safety is because of some transmutes must be somehow creating values with a lifetime without tying them to an actual object. Unfortunately I have to do real work so I can't look into it at the moment.

yeah, there won't really be any way to make a MessageReader sendable. But to be fair, that wouldn't be safe to share references across threads.

And finally, happy to help! capn proto is quite nifty :)

[dwrensha]

No, the problem was just that you forgot some explicit lifetime parameters. I'll merge this and go ahead and add them.

Thanks!

[erickt]

I had lifetimes originally, but I removed them because theoretically lifetime inference should have inserted them. Maybe that's where a transmute broke the link between lifetimes?

[dwrensha]

In my understanding, your signature

fn init_root<T : FromStructBuilder<'a> + HasStructSize>(&mut self) -> T;

is equivalent to

fn init_root<'b, T : FromStructBuilder<'a> + HasStructSize>(&'b mut self) -> T;

In particular, there is no constraint between 'a and 'b.

Admittedly, though, my understanding here may be incomplete, and I've been uneasy about implicit lifetimes ever since lifetime elision was introduced.