From: Ralf Jung Date: Wed, 31 Jan 2018 16:29:23 +0000 (+0100) Subject: use borrowing terminology in invariants; typos X-Git-Url: https://git.ralfj.de/web.git/commitdiff_plain/7eb29c4567e824e5adb375056b80bea94fd5fd9b?ds=inline use borrowing terminology in invariants; typos --- diff --git a/ralf/_posts/2018-01-31-sharing-for-a-lifetime.md b/ralf/_posts/2018-01-31-sharing-for-a-lifetime.md index b009527..8dd10da 100644 --- a/ralf/_posts/2018-01-31-sharing-for-a-lifetime.md +++ b/ralf/_posts/2018-01-31-sharing-for-a-lifetime.md @@ -8,7 +8,7 @@ This post is about an aspect of the [RustBelt paper]({{ site.baseurl }}{% post_u Concretely, I'd like to share some of our thoughts on the nature of types and shared references. Let's see how well this goes. :) -Shared references are an extremely powerful mechanism in the Rust type system, and we've had quite some trouble fining a good way for handling them in our [formal model]({{ site.baseurl }}{% post_url 2015-10-12-formalizing-rust %}). +Shared references are an extremely powerful mechanism in the Rust type system, and we've had quite some trouble finding a good way of handling them in our [formal model]({{ site.baseurl }}{% post_url 2015-10-12-formalizing-rust %}). In this post, I will present the model that we came up with. Let's get started by discussing what a "model" of a type looks like, and what's so hard about handling shared references. @@ -33,9 +33,9 @@ The (syntactic) data layout imposes some basic structure on the permitted sequen For example, the sequence of four `0` bytes is valid at `i32` but not at `NonZero`. As another example, a pointer is valid at `Box` if it points to four bytes of *owned* memory[^2], and these four bytes are a valid `i32`. -Finally, a pointer is valid at `&'a mut T` if it points to `size_of::()` many bytes of memory[^3] that are *owned for lifetime `'a`*, and those bytes are valid at `T`. +Finally, a pointer is valid at `&'a mut T` if it points to `size_of::()` many bytes of memory[^3] that are *borrowed for lifetime `'a`*, and those bytes are valid at `T`. -[^2]: I will also mostly ignore how the concept of *ownership* can be made more precise. If you want to dig deeper, the keyword is [separation logic](https://en.wikipedia.org/wiki/Separation_logic). We had to extend separation logic to be able to handle "ownership for some lifetime", but you don't have to understand any of that to follow this post. That's the plan, anyway. +[^2]: I will also mostly ignore how the concept of *ownership* can be made more precise. If you want to dig deeper, the keyword is [separation logic](https://en.wikipedia.org/wiki/Separation_logic). We had to extend separation logic to be able to handle borrowing as well, but the details of all of this don't matter for this post. That's the plan, anyway. [^3]: Yes, we do ignore unsized types here. @@ -67,7 +67,7 @@ This already excludes the possibility of data races. Secondly, `Cell` does not permit obtaining a *deep pointer* into the data. So, changing a `Cell>` from `Ok(true)` to `Err(42)` cannot invalidate any pointers that still expect a `bool` in the `Result`. -Coming back to our model, we could say that `&'a Cell` is a pointer valid for lifetime `'a` that points to `size_of::()` many bytes of memory that (for this lifetime) may *be accessed by any code running in the current thread, but not by any other code*; and moreover, those bytes are valid at `T`. +Coming back to our model, we could say that `&'a Cell` is a pointer that points to `size_of::()` many bytes of memory that, for the duration of `'a`, may *be accessed by any code running in the current thread, but not by any other code*; and moreover, those bytes are valid at `T`. This definition forces `&Cell` to *not* be `Send` (because the model refers to the "current thread", so changing that thread could violate the invariant) and hence `Cell` must not be `Sync`. It also rules out pointers into a `Cell>`: Say we would want to have a pointer to the `Ok` data, which would have type `&Cell`. We could not show that this pointer is actually valid at the given type, because anyone in the current thread could modify the (outer) `Cell>` at any time, and if they write an `Err(42)` in it they will violate the requirements that an `&Cell` only ever points to a valid `bool`! @@ -79,7 +79,7 @@ Coming to `Mutex`, the justification for why `Mutex::lock` and `MutexGuard::dere A `Mutex` implements *mutual exclusion* (hence the name), so only one thread can ever hold the lock. As a result, giving that thread mutable access to the inner data cannot result in any data races or other conflicts with other threads. -In the model (and I'm going to gloss over more and more details here), we will say that `&'a Mutex` is valid if everyone accessing the memory it points to follows the locking discipline. +In the model (and I'm going to gloss over more and more details here), we will say that `&'a Mutex` is valid if everyone accessing the memory it points to during the lifetime `'a` follows the locking discipline. A `MutexGuard` is valid if we actually own the lock of the corresponding `Mutex`. Together, this is sufficient to justify safety of all the `Mutex` and `MutexGuard` operations.