[MIR-borrowck] Two phase borrows

[pnkfelix]

This adds limited support for two-phase borrows as described in
http://smallcultfollowing.com/babysteps/blog/2017/03/01/nested-method-calls-via-two-phase-borrowing/

The support is off by default; you opt into it via the flag -Z two-phase-borrows

I have written "limited support" above because there are simple variants of the simple v.push(v.len()) example that one would think should work but currently do not, such as the one documented in the test compile-fail/borrowck/two-phase-reservation-sharing-interference-2.rs

(To be clear, that test is not describing something that is unsound. It is just providing an explicit example of a limitation in the implementation given in this PR. I have ideas on how to fix, but I want to land the work that is in this PR first, so that I can stop repeatedly rebasing this branch.)

[rust-highfive]

r? @arielb1

(rust_highfive has picked a reviewer for you, use r? to override)

[nikomatsakis]

Huzzah.

[nikomatsakis]

Nit: formatting is funky. I'm moving these days towards rustfmt-style:

pub(crate) fn place_needs_drop(
    tcx: TyCTxt<...>
    ...,
) -> bool {
    ...
}

[nikomatsakis]

I left various documentation nits.

I'd personally prefer to tweak the "use closures for everything" change to dataflow as well; either to keep the tcx or to thread through the required state as a generic that implements a trait with the method definitions, rather than various closures. I found closures a bit confusing because (a) they move the code out from the fn body into its caller, but (imo) it sort of logically belongs in the callee; (b) they suggest that caller can alter this behavior at will, but I'm not sure that's true; (c) they tend to play poorly with the borrow checker anyway vs a trait, since the borrow checker won't allow two closures to share a mutable borrow (since it doesn't know they don't reach one another).

Anyway, there is one test I didn't see. We want to make sure that people don't start a shared borrow during the reservation period that then continues to be used after the mutable borrow has been activated. Did you have a test for this that I missed? (I actually don't know if the code will handle this correctly or not. I think maybe not, because I believe it requires some kind of special check in the borrow checker at activation time.)

fn read(_: &i32) { } 

fn ok() {
    let mut x = 3;
    let y = &mut x;
    { let z = &x; read(z); }
    *y += 1;
}

fn not_ok() {
    let mut x = 3;
    let y = &mut x;
    let z = &x;
    *y += 1;
    read(z); //~ ERROR somewhere in here
}

[nikomatsakis]

I'd love to see a comment. e.g. what the heck is has_uniform_drop_state supposed to mean?

[nikomatsakis]

Nit: formatting

[nikomatsakis]

Nit: Dead code.

[nikomatsakis]

My concern with this is that there is more-or-less only one "right thing" you can do here in this closure, right? Or is there ever a time that we want other behavior?

[nikomatsakis]

If indeed there all closures are always the same, why not make on_lookup_result_bits abstract over some type T: OnLookupResultBitHelpers, which is only implemented by TyCtxt or something?

[pnkfelix]

One advantage to this approach is that its trivial to add instrumentation to the individual closures. Also, you need both the tcx and the mir, so to get the full effect here (in terms of avoiding having to thread either of those down) I'd have to at the very least make a struct that held both of them, rather than just passing either on its own.

Having said that, I was considering moving to a trait instead of arbitrary closures, largely because I wanted a single thing to carry both of the closures that I occasionally pass in. So I'll look into that.

[pnkfelix]

(Oh, maybe you mean make it a method on tcx that takes the mir as an argument, and then pass in a closure that does |arg| self.tcx.new_method(self.mir, arg) ...? Not sure how that's better/clearer that |arg| current_func(self.tcx, self.mir, arg), though...)

[nikomatsakis]

Is the intention that, if this returns false, the on_entry bit set will not be modified by statement_effect and terminator_effect (but merely used as immutable input)? If so, let's say so explicitly.

[pnkfelix]

Oh, yes, that is indeed my intent. Will fix.

[pnkfelix]

(The fact that a mutable reference is passed is just an artifact of how support for the true case is implemented.)

[nikomatsakis]

I feel like the purpose of this struct should be documented here.

[nikomatsakis]

Also, I think at this point this file is getting quite complex. We might consider breaking out submodules.

[pnkfelix]

(I addressed the doc request but chose not to fragment the file into submodules; I want to wait until after the impl period to do the latter, for the sake of everyone rebasing...)

[nikomatsakis]

Nit: s/LvalueContext/PlaceContext/

[nikomatsakis]

Nit: debug! ?

[pnkfelix]

oops. will fix.

[nikomatsakis]

It's mildly surprising that this function also applies the statement effect on reservations. Perhaps rename to statement_effect_on_activations_and_reservations?

[nikomatsakis]

(Alternatively move that call into the caller, but I think it's maybe nice to have them grouped together here? I guess I could go either way, just want the name to be clear on what is affected.)

[pnkfelix]

yeah I considered having that call in the caller, but I thought at some point there might be a case where the activation effect would want to observe state from both before and after the reservation effect. (This turned out not to be the case in the code so far, but I didn't want to build in an assumption that things would stay that way.)

Anyway the idea in my head is more that the ActiveBorrows bitvector holds both activations and reservations state. So maybe the problem is the naming here, I need some way to succinctly say "the combined reservation and activation state."

PhasedBorrows maybe? And statement_effect_on_phased_borrows ?

[pnkfelix]

I think I'm going to change this so that there's a single method and we pass a is_activations: bool parameter representing the context.

[nikomatsakis]

Pre-existing, but I feel like the enclosing function here deserves a comment explaining what it does, and I would expect this (quite clever, actually) bit here to be in that comment (i.e., invokes with either a RESERVATION or ACTIVATION for each borrowed path, whichever is more specific).

[pnkfelix]

(addressed by new commit injected earlier in commit history)

[pnkfelix]

Anyway, there is one test I didn't see. [...]

Ack, you are right! Even after you've pointed out several times that the activation point needs this check, I thought what I had for the reservation point would suffice.

Will fix!

[nikomatsakis]

Update: this test seems to compile for me:

#![allow(dead_code)]

fn read(_: &i32) { } 

fn ok() {
    let mut x = 3;
    let y = &mut x;
    { let z = &x; read(z); }
    *y += 1;
}

fn not_ok() {
    let mut x = 3;
    let y = &mut x;
    let z = &x;
    *y += 1;
    read(z); //~ ERROR somewhere in here
}

Example:

> rustc --stage1 ~/tmp/pnkfelix.rs -Zborrowck=mir -Ztwo-phase-borrows
> // look ma, no errors

[bors]

☔ The latest upstream changes (presumably #46268) made this pull request unmergeable. Please resolve the merge conflicts.

[pnkfelix]

@nikomatsakis okay, pushed commit that adds support for checking the activation points explicitly against other borrows that overlap it, and added your test (with some extra variants added to show ... a current oddity in the implementation...)

Going to look into tweaking the "use closures for everything" change to dataflow next, before addressing other nits (and rebasing to resolve the upstream conflicts).

[pnkfelix]

@nikomatsakis what do you think of the name trait PlaceObservations for a trait that gathers together fn needs_drop and fn has_uniform_drop_state?

[pnkfelix]

(and is solely implemented by (tcx, mir) ...)

[carols10cents]

r? @nikomatsakis

this also doubles as a rereview/question answering ping for you!

@nikomatsakis what do you think of the name trait PlaceObservations for a trait that gathers together fn needs_drop and fn has_uniform_drop_state?

[pnkfelix]

Okay I think I have incorporated all review feedback (and gone through yet another semi-nasty rebase....)

Lets get this landed! 😄

[arielb1]

no because it doesn't care about the borrow being immutable/mutable.

[arielb1]

Can you just switch this to be a .get?

[arielb1]

match self.mir[location.block].statements.get(location.statement_index) {
    Statement { kind: StatementKind::Assign(...), ..) => {
    // ..

[arielb1]

conflict_error should return true because an error had already been reported (earlier).

[arielb1]

what's the idea of this? If there's a reservation going around a loop, this could actually cause unsoundness.

[pnkfelix]

First off: Good catch. I definitely need to think more about this.

Explanation: The reason for this check here is to ensure that the activation is not treated as a conflict with its own reservation. (Any time we reach a activating use, it is by definition going to have a reservation for that borrow also in the current flow state -- because if there wasn't a reservation in the flow state, then we would not consider the use an activation.)

But your loop example is important, and may show a big flaw in how I've approached this.

I think I've made a mistake in that the current Reservations dataflow is tracking what borrows may reach a location, but for the scenario I'm trying to catch here, it might be necessary to use a must-reach semantics. Building up that flow analysis and employing it (at least for the desired filter here) might be a way to resolve the loop example you give (because with must-reach, a control-flow merge on entry to the loop will remove the reservations that are introduced within the loop itself).

• Having said that, such an analysis is a pretty big addition to the framework here. I need to think more on this.

[pnkfelix]

(Another potential answer, suggested by @nikomatsakis, might be to treat the reservation in a loop as an error.)

[arielb1]

so this error suppression might actually fix #45697 if it's moved out of this loop.

[arielb1]

r=me mod. comments

[pnkfelix]

Okay I think I've addressed almost all of the comments above.

There are some extant bugs that I'll need to address (I only now attempted turning the flag off by default and seeing what happens with all the current -Z borrowck=mir test cases), but I think I want to land this first and then deal with those afterwards.

• Huzzah, all the "bugs" identified in the compile-fail tests are not bugs at all, they are showing a feature where -Z borrowck=mir -Z two-phase-borrows behaves somewhat like non-lexical lifetimes even without passing -Z nll

(the five identifies failures are discussed in the details block below)

test	errors	evaluation
compile-fail/borrowck/borrowck-describe-lvalue.rs	22 expected errors not found	test is written assuming lexical lifetimes + single-phase borrows (i.e. just mutably borrows with no use to introduce conflict); will fix
compile-fail/borrowck/borrowck-match-already-borrowed.rs	compiled successfully!	(ibid)
compile-fail/borrowck/borrowck-overloaded-index-ref-index.rs	2 expected errors not found	(ibid)
compile-fail/borrowck/borrowck-union-borrow.rs	6 expected errors not found	(ibid)
compile-fail/coerce-overloaded-autoderef.rs	1 unexpected error found, 1 expected error not found	lol this is just the same error being reworded, perhaps due to a change to traversal order? (i.e. "mut also borrowed as imm" ⇒ "imm also borrowed as mut")

[pnkfelix]

@bors r+

[bors]

📌 Commit 159037e has been approved by pnkfelix

[arielb1]

@bors r-

[arielb1]

That should have been an r=arielb1 or r=nikomatsakis

[arielb1]

@bors r+

[bors]

📌 Commit 159037e has been approved by arielb1

[arielb1]

However, it's probably a wise idea to limit reservations to assignments to temporaries. I don't think MIR construction ever does anything else, but you shouldn't be able to do this:

let mut a = 0;
let mut b = 0;
let mut x: &mut u32 = &mut a;
let y = &mut x;
*y = &mut b; // this borrow should be active
// look at me, no use of `*y`, but:
use(x, &b); // should be illegal

[bors]

⌛ Testing commit 159037e with merge 84feab3...

[bors]

☀️ Test successful - status-appveyor, status-travis
Approved by: arielb1
Pushing 84feab3 to master...