//@ (There's not even an automatic derivation happening for the cases where it would be possible.)
//@ This restriction propagates up to `Callbacks` itself. What could we do about this?
+//@ ## `Rc`
//@ The solution is to find some way of cloning `Callbacks` without cloning the environments. This can be achieved with
//@ `Rc<T>`, a *reference-counted* pointer. This is is another example of a smart pointer. You can `clone` an `Rc` as often
//@ as you want, that doesn't affect the data it contains. It only creates more references to the same data. Once all the
//@ references are gone, the data is deleted.
//@
//@ Wait a moment, you may say here. Multiple references to the same data? That's aliasing! Indeed:
-//@ Once data is stored in an `Rc`, it is read-only and you can only ever get a shared borrow of the data again.
+//@ Once data is stored in an `Rc`, it is read-only and you can only ever get a shared reference to the data again.
-//@ Because of this read-only restriction, we cannot use `FnMut` here: We'd be unable to call the function with a mutable borrow
-//@ of it's environment! So we have to go with `Fn`. We wrap that in an `Rc`, and then Rust happily derives `Clone` for us.
+//@ Because of this read-only restriction, we cannot use `FnMut` here: We'd be unable to call the function with a mutable reference
+//@ to it's environment! So we have to go with `Fn`. We wrap that in an `Rc`, and then Rust happily derives `Clone` for us.
#[derive(Clone)]
struct Callbacks {
callbacks: Vec<Rc<Fn(i32)>>,
impl Callbacks {
pub fn new() -> Self {
- Callbacks { callbacks: Vec::new() } /*@*/
+ Callbacks { callbacks: Vec::new() }
}
// Registration works just like last time, except that we are creating an `Rc` now.
pub fn call(&self, val: i32) {
// We only need a shared iterator here. Since `Rc` is a smart pointer, we can directly call the callback.
for callback in self.callbacks.iter() {
- callback(val); /*@*/
+ callback(val); /*@*/
}
}
}
//@ So it would be rather sad if we were not able to write this program. Lucky enough, Rust's standard library provides a
//@ solution in the form of `Cell<T>`. This type represents a memory cell of some type `T`, providing the two basic operations
//@ `get` and `set`. `get` returns a *copy* of the content of the cell, so all this works only if `T` is `Copy`.
-//@ `set`, which overrides the content, only needs a *shared borrow* of the cell. The phenomenon of a type that permits mutation through
-//@ shared borrows (i.e., mutation despite the possibility of aliasing) is called *interior mutability*. You can think
+//@ `set`, which overrides the content, only needs a *shared reference* to the cell. The phenomenon of a type that permits mutation through
+//@ shared references (i.e., mutation despite the possibility of aliasing) is called *interior mutability*. You can think
//@ of `set` changing only the *contents* of the cell, not its *identity*. In contrast, the kind of mutation we saw so far was
-//@ about replacing one piece of data by something else of the same type. This is called *exterior mutability*. <br/>
+//@ about replacing one piece of data by something else of the same type. This is called *inherited mutability*. <br/>
//@ Notice that it is impossible to *borrow* the contents of the cell, and that is actually the key to why this is safe.
// So, let us put our counter in a `Cell`, and replicate the example from the previous part.
fn demo_cell(c: &mut Callbacks) {
{
let count = Cell::new(0);
- // Again, we have to move ownership if the `count` into the environment closure.
+ // Again, we have to move ownership of the `count` into the environment closure.
c.register(move |val| {
- // In here, all we have is a shared borrow of our environment. But that's good enough for the `get` and `set` of the cell!
+ // In here, all we have is a shared reference of our environment. But that's good enough for the `get` and `set` of the cell!
//@ At run-time, the `Cell` will be almost entirely compiled away, so this becomes pretty much equivalent to the version
//@ we wrote in the previous part.
let new_count = count.get()+1;
}
//@ It is worth mentioning that `Rc` itself also has to make use of interior mutability: When you `clone` an `Rc`, all it has available
-//@ is a shared borrow. However, it has to increment the reference count! Internally, `Rc` uses `Cell` for the count, such that it
+//@ is a shared reference. However, it has to increment the reference count! Internally, `Rc` uses `Cell` for the count, such that it
//@ can be updated during `clone`.
+//@
+//@ Putting it all together, the story around mutation and ownership through references looks as follows: There are *unique* references,
+//@ which - because of their exclusivity - are always safe to mutate through. And there are *shared* references, where the compiler cannot
+//@ generally promise that mutation is safe. However, if extra circumstances guarantee that mutation *is* safe, then it can happen even
+//@ through a shared reference - as we saw with `Cell`.
// ## `RefCell`
//@ As the next step in the evolution of `Callbacks`, we could try to solve this problem of mutability once and for all, by adding `Cell`
impl CallbacksMut {
pub fn new() -> Self {
- CallbacksMut { callbacks: Vec::new() } /*@*/
+ CallbacksMut { callbacks: Vec::new() }
}
pub fn register<F: FnMut(i32)+'static>(&mut self, callback: F) {
- let cell = Rc::new(RefCell::new(callback));
+ let cell = Rc::new(RefCell::new(callback)); /*@*/
self.callbacks.push(cell); /*@*/
}
pub fn call(&mut self, val: i32) {
for callback in self.callbacks.iter() {
// We have to *explicitly* borrow the contents of a `RefCell` by calling `borrow` or `borrow_mut`.
- //@ At run-time, the cell will keep track of the number of outstanding shared and mutable borrows,
+ //@ At run-time, the cell will keep track of the number of outstanding shared and mutable references,
//@ and panic if the rules are violated. <br />
- //@ For this check to be performed, `closure` is a *guard*: Rather than a normal borrow, `borrow_mut` returns
- //@ a smart pointer (`RefMut`, in this case) that waits until is goes out of scope, and then
- //@ appropriately updates the number of active borrows.
+ //@ For this check to be performed, `closure` is a *guard*: Rather than a normal reference, `borrow_mut` returns
+ //@ a smart pointer ([`RefMut`](https://doc.rust-lang.org/stable/std/cell/struct.RefMut.html), in this case) that waits until is goes out of scope, and then
+ //@ appropriately updates the number of active references.
//@
//@ Since `call` is the only place that borrows the environments of the closures, we should expect that
- //@ the check will always succeed. However, this function would still typecheck with an immutable borrow of `self` (since we are
- //@ relying on the interior mutability of `RefCell`). Under this condition, it could happen that a callback
- //@ will in turn trigger another round of callbacks, so that `call` would indirectly call itself.
- //@ This is called reentrancy. It would imply that we borrow the closure a second time, and
- //@ panic at run-time. I hope this also makes it clear that there's absolutely no hope of Rust
- //@ performing these checks statically, at compile-time: It would have to detect reentrancy!
+ //@ the check will always succeed, as is actually entirely useless. However, this is not actually true. Several different `CallbacksMut` could share
+ //@ a callback (as they were created with `clone`), and calling one callback here could trigger calling
+ //@ all callbacks of the other `CallbacksMut`, which would end up calling the initial callback again. This issue of functions accidentally recursively calling
+ //@ themselves is called *reentrancy*, and it can lead to subtle bugs. Here, it would mean that the closure runs twice, each time thinking it has a
+ //@ unique, mutable reference to its environment - so it may end up dereferencing a dangling pointer. Ouch! Lucky enough,
+ //@ Rust detects this at run-time and panics once we try to borrow the same environment again. I hope this also makes it
+ //@ clear that there's absolutely no hope of Rust performing these checks statically, at compile-time: It would have to detect reentrancy!
let mut closure = callback.borrow_mut();
// Unfortunately, Rust's auto-dereference of pointers is not clever enough here. We thus have to explicitly
- // dereference the smart pointer and obtain a mutable borrow of the content.
+ // dereference the smart pointer and obtain a mutable reference to the content.
(&mut *closure)(val);
}
}
c.call(1); c.clone().call(2);
}
-// **Exercise 12.1**: Change the type of `call` to ask only for a shared borrow. Then write some piece of code using only the available, public
-// interface of `CallbacksMut` such that a reentrant call to `call` is happening, and the program aborts because the `RefCell` refuses to hand
-// out a second mutable borrow to its content.
+// **Exercise 12.1**: Write some piece of code using only the available, public interface of `CallbacksMut` such that a reentrant call to a closure
+// is happening, and the program panics because the `RefCell` refuses to hand out a second mutable borrow of the closure's environment.
-//@ [index](main.html) | [previous](part11.html) | [next](part13.html)
+//@ [index](main.html) | [previous](part11.html) | [raw source](workspace/src/part12.rs) | [next](part13.html)