librustc: Require lifetimes within the types of values with destructors

to have strictly greater lifetime than the values themselves.

Additionally, remove `#[unsafe_destructor]` in favor of these new
restrictions.

This broke a fair amount of code that had to do with `RefCell`s. We will
probably need to do some work to improve the resulting ergonomics. Most
code that broke looked like:

    match foo.bar.borrow().baz { ... }
    use_foo(&mut foo);

Change this code to:

    {
        let bar = foo.bar.borrow();
        match bar.baz { ... }
    }
    use_foo(&mut foo);

This fixes an important memory safety hole relating to destructors,
represented by issue rust-lang#8861.

[breaking-change]

Author: pcwalton

src/jemalloc

@@ -1084,27 +1084,29 @@ impl<T: Ord> Set<T> for TreeSet<T> {
     }
 
     fn is_subset(&self, other: &TreeSet<T>) -> bool {
-        let mut x = self.iter();
-        let mut y = other.iter();
-        let mut a = x.next();
-        let mut b = y.next();
-        while a.is_some() {
-            if b.is_none() {
-                return false;
-            }
+        {
+            let mut x = self.iter();
+            let mut y = other.iter();
+            let mut a = x.next();
+            let mut b = y.next();
+            while a.is_some() {
+                if b.is_none() {
+                    return false;
+                }
 
-            let a1 = a.unwrap();
-            let b1 = b.unwrap();
+                let a1 = a.unwrap();
+                let b1 = b.unwrap();
 
-            match b1.cmp(a1) {
-                Less => (),
-                Greater => return false,
-                Equal => a = x.next(),
-            }
+                match b1.cmp(a1) {
+                    Less => (),
+                    Greater => return false,
+                    Equal => a = x.next(),
+                }
 
-            b = y.next();
+                b = y.next();
+            }
+            true
         }
-        true
     }
 }
 

src/libcollections/treemap.rs

@@ -310,8 +310,11 @@ impl<T> RefCell<T> {
 
 #[unstable = "waiting for `Clone` to become stable"]
 impl<T: Clone> Clone for RefCell<T> {
-    fn clone(&self) -> RefCell<T> {
-        RefCell::new(self.borrow().clone())
+    fn clone<'a>(&'a self) -> RefCell<T> {
+        {
+            let borrowed: Ref<'a,T> = self.borrow();
+            RefCell::new(borrowed.clone())
+        }
     }
 }
 

src/libcore/cell.rs

@@ -90,16 +90,22 @@ impl<T> Finally<T> for fn() -> T {
  *     })
  * ```
  */
-pub fn try_finally<T,U,R>(mutate: &mut T,
-                          drop: U,
-                          try_fn: |&mut T, U| -> R,
-                          finally_fn: |&mut T|)
-                          -> R {
-    let f = Finallyalizer {
-        mutate: mutate,
-        dtor: finally_fn,
-    };
-    try_fn(&mut *f.mutate, drop)
+pub fn try_finally<'a,
+                   T,
+                   U,
+                   R>(
+                   mutate: &'a mut T,
+                   drop: U,
+                   try_fn: |&mut T, U| -> R,
+                   finally_fn: |&mut T|:'a)
+                   -> R {
+    {
+        let f: Finallyalizer<'a,T> = Finallyalizer {
+            mutate: mutate,
+            dtor: finally_fn,
+        };
+        try_fn(&mut *f.mutate, drop)
+    }
 }
 
 struct Finallyalizer<'a,A:'a> {

src/libcore/finally.rs

@@ -61,10 +61,13 @@ impl BasicLoop {
 
     fn remote_work(&mut self) {
         let messages = unsafe {
-            mem::replace(&mut *self.messages.lock(), Vec::new())
+            let lock = &mut *self.messages.lock();
+            mem::replace(lock, Vec::new())
         };
-        for message in messages.move_iter() {
-            self.message(message);
+        {
+            for message in messages.move_iter() {
+                self.message(message);
+            }
         }
     }
 

src/libgreen/basic.rs

@@ -258,7 +258,10 @@ pub fn build_session_(sopts: config::Options,
         recursion_limit: Cell::new(64),
     };
 
-    sess.lint_store.borrow_mut().register_builtin(Some(&sess));
+    {
+        sess.lint_store.borrow_mut().register_builtin(Some(&sess));
+    }
+
     sess
 }
 

src/librustc/driver/session.rs

@@ -244,9 +244,8 @@ impl<'a, 'v> Visitor<'v> for Context<'a> {
                                        "unsafe_destructor") {
                     self.gate_feature("unsafe_destructor",
                                       i.span,
-                                      "`#[unsafe_destructor]` allows too \
-                                       many unsafe patterns and may be \
-                                       removed in the future");
+                                      "`#[unsafe_destructor]` does nothing \
+                                       anymore")
                 }
             }
 

src/librustc/front/feature_gate.rs

@@ -318,6 +318,9 @@ fn parse_region(st: &mut PState, conv: conv_did) -> ty::Region {
       't' => {
         ty::ReStatic
       }
+      'n' => {
+        ty::ReFunction
+      }
       'e' => {
         ty::ReStatic
       }

src/librustc/metadata/tydecode.rs

@@ -149,6 +149,9 @@ pub fn enc_region(w: &mut SeekableMemWriter, cx: &ctxt, r: ty::Region) {
         ty::ReScope(nid) => {
             mywrite!(w, "s{}|", nid);
         }
+        ty::ReFunction => {
+            mywrite!(w, "n");
+        }
         ty::ReStatic => {
             mywrite!(w, "t");
         }

src/librustc/metadata/tyencode.rs

@@ -490,7 +490,7 @@ impl tr for ty::Region {
             ty::ReScope(id) => {
                 ty::ReScope(dcx.tr_id(id))
             }
-            ty::ReEmpty | ty::ReStatic | ty::ReInfer(..) => {
+            ty::ReEmpty | ty::ReStatic | ty::ReInfer(..) | ty::ReFunction => {
                 *self
             }
             ty::ReFree(ref fr) => {